W32.Duqu-Malware (Update E)
All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
--------- Begin Update E Part 1 of 4 --------
This updated Alert is a follow-up to the Alert titled “ICS-ALERT-11-291-01D—W32.Duqu: An information-gathering malware” published October 26, 2011 on the ICS-CERT web. A Version C (containing FOUO-related content) was released on the US-CERT Secure Portal.
On November 1, 2011 Symantec1 and the Laboratory of Cryptography and Systems Security (CrySyS)2 released updated reports identifying possible affected organizations, the dropper used to infect systems, and a new command and control (C&C) IP address. The below sections highlight the new information identified.
ICS-CERT is in the process of compiling and re-organizing all of the data in this alert for release in an upcoming advisory.
--------- End Update E Part 1 of 4 --------
ICS-CERT, in close coordination with Symantec and the original researchers, has determined after additional analysis that neither industrial control systems (ICSs) nor vendors/manufacturers were targeted by Duqu. In addition, as of October 21, 2011, there have been few infections, and there is no evidence based on current code analysis that Duqu presents a specific threat to ICSs.
--------- Begin Update E Part 2 of 4 --------
According to Symantec, they have confirmed six possible infected organizations in eight countries including France, Netherlands, Switzerland, Ukraine, India, Iran (2), Sudan, and Vietnam. Symantec notes the organizations are only traceable back to an ISP. Other security vendors have reported infections in Austria, Hungary, Indonesia, United Kingdom, and Iran. At this point, a comprehensive list of infected organizations is not available.
--------- End Update E Part 2 of 4 ----------
However, organizations should still remain vigilant against this and other sophisticated malware. ICS-CERT also recommends that the ICS community update intrusion prevention systems (IPSs) and antivirus systems to detect Duqu and other new threats.
ICS-CERT will continue to analyze the malware, monitor the threat landscape, and report additional information as appropriate. ICS-CERT will also continue coordination with Symantec, McAfee, the international community, and ICS stakeholders.
On October 18, 2011, Symantec released a Security Response Report3 describing W32.Duqu, an information-gathering threat targeting specific organizations, including ICSs manufacturers. According to Symantec, W32.Duqu does not contain any code related to ICSs and is primarily a remote access Trojan (RAT).
Symantec reports that the original sample of W32.Duqu was gathered from a research organization based in Europe and that additional variants have been recovered from a second organization in Europe. According to Symantec, the attackers are looking for information, such as design documents, that could potentially be used in a future attack on an industrial control facility.
This threat is highly targeted toward a limited number of organizations, apparently to exfiltrate data concerning their specific assets; the propagation method is not yet known. Symantec indicates that W32.Duqu is not self-replicating.
Symantec reports that other attacks could be ongoing using undetected variants of W32.Duqu. Symantec states that they are continuing to analyze additional variants of W32.Duqu.
--------- Begin Update E Part 3 of 4 --------
On November 1, 2011 the researchers, CrySyS, reported they had located the installer being used to infect systems. Symantec has updated their Security Response Report4 and described the installer as a Microsoft Word document (file extension: .doc) that exploits a previously unknown (0-day) kernel vulnerability. According to the report, Microsoft is working to issue a patch and advisory for this vulnerability.
Symantec’s report also indicates that the malicious Word document was specially crafted to target the intended receiving organization. This appears to support the assertion that Duqu was highly targeted.
Once infected, attackers can infect other computers in secure zones and control them through a peer-topeer
--------- End Update E Part 3 of 4 ----------
Key points from the report include:
- The executables share some code with the Stuxnet worm, and they were compiled after the last Stuxnet sample was recovered.
- There is no ICS specific attack code in the Duqu or infostealer.
- The primary infection vector for Duqu deployment has not yet been discovered/recovered (Duqu does not self-replicate or spread on its own).
- The targeted organizations appear to be limited.
- The malware employed a valid digital certificate (revoked as of October 14, 2011).
- The malware is designed to self-delete after 36 days.
- The Command and Control (C&C) servers are hosted in India (Specific IPs unknown at this time).
McAfee Labs5 has also published a blog entry on the Duqu malware.
ICS-CERT has reached out to Symantec and McAfee to obtain additional information to assess the threat and identify mitigations that manufacturers and asset owners can employ to reduce their risk to this new threat. ICS-CERT will publish more information as it becomes available.
On October 25, 2011, Kaspersky Labs released an article entitled “The Mystery of Duqu: Part Two” in which four additional Duqu infections were detected on their security network: one system in Sudan and three in Iran.
In addition, Kaspersky Labs has reported that the name and size of the driver file in the infections they analyzed differs from the previously reported file making it difficult for antivirus software to detect it. As of October 26, 2011, neither Kaspersky Labs nor ICS-CERT has copies of the new files making a full set of new indicators impossible to determine at this time. In addition, it is possible that the malware authors will continue to craft new variants to avoid detection.
Duqu uses HTTP and HTTPS to communicate with a C&C server at 22.214.171.124.6 This server is located in India and has been disabled by the ISP. ICS-CERT strongly recommends that organizations check network and proxy logs for any communication with this IP address. If any communication is identified, please contact ICS-CERT for further guidance.
--------- Begin Update E Part 4 of 4--------
Symantec has identified a new C&C server that is hosted in Belgium. The IP address reported is 126.96.36.199. This C&C server has been disabled by the hosting provider.
Symantec has provided sample names and hashes for the files identified as part of this threat. Additional indicators from Contagio and Kaspersky are also listed below:
|File Name||MD5 Hash|
--------- End Update E Part 4 of 4 ----------
The Contagio website7 has also provided two new additional indicators as part of this threat.
|File Name||MD5 Hash|
--------- End Update D Part 3 of 4 ----------
The full extent of the threat posed by W32.Duqu is currently being evaluated. At this time, no specific mitigations are available; however, organizations should consider taking defensive measures against this threat. Specifically, ICS-CERT encourages organizations to:
- Update antivirus definitions for detection of the Duqu Trojan.
- Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
--------- Begin Update D Part 4 of 4 --------
With new variants of Duqu reported on October 25, 2011, by Kaspersky Labs,8
- Monitor for new and unknown services running on client machines. current antivirus software may not be able to identify all variants of this malware. Organizations should consider adding the following items to their network security plans:
- Monitor systems on their network for new files added to system directories such as system32, and system32\drivers.
- Monitor for network traffic anomalies; such as:
- Beaconing to unknown IP addresses
- Spikes in traffic
- Outgoing binary files such as jpg
- HTTP and HTTPS traffic from machines that do not have browsers installed.
--------- End Update D Part 4 of 4 ----------
Although the method of propagation has yet to be determined, the targeted nature of the thread would make social engineering a likely method of attack. ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
- Do not click web links or open unsolicited attachments in e-mail messages
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding e-mail scams.
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
- 1. http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-d..., website last accessed November 01, 2011. Symantec also has a link to version 1.3 of their whitepaper on this site.
- 2. http://www.crysys.hu/, Laboratory of Cryptography and System Security (CrySyS), Department of Telecommunications, Budapest University of Technology and Economics, website last accessed November 01, 2011.
- 3. W32.Duqu, The Precursor to the Next Stuxnet, Symantec, http://www.symantec.com/content/en/us/enterprise/media/security_response... stuxnet.pdf, website last accessed November 01, 2011.
- 4. http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-d..., website last accessed November 01, 2011
- 5. The Day of the Golden Jackal, McAfee, http://blogs.mcafee.com/mcafee-labs/the-day-of-the-golden-jackal-%E2%80%..., website last accessed November 01, 2011.
- 6. Updated C&C information has been published in Update C located on the US-CERT Secure Portal. Please contact ICS-CERT for questions regarding this FOUO/TLP AMBER update.
- 7. Contagio malware dump, is a collection of the latest malware samples, threats, observations, and analyses. Caution - active Malware is available on this website. (http://contagiodump.blogspot.com/2011/10/duqu-rat-trojan-precursor-to-ne...), this website was last accessed October 26, 2011.
- 8. The Mystery of Duqu: Part Two, Kaspersky Labs, http://www.securelist.com/en/blog/208193197/The_Mystery_of_Duqu_Part_Two, website last accessed October 26, 2011.
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.