U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.
TLP:WHITE

Alert (ICS-ALERT-11-291-01E)

W32.Duqu-Malware (Update E)

Original release date: November 01, 2011 | Last revised: May 08, 2013

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.



Summary

--------- Begin Update E Part 1 of 4 --------

This updated Alert is a follow-up to the Alert titled “ICS-ALERT-11-291-01D—W32.Duqu: An information-gathering malware” published October 26, 2011 on the ICS-CERT web. A Version C (containing FOUO-related content) was released on the US-CERT Secure Portal.

On November 1, 2011 Symantec1 and the Laboratory of Cryptography and Systems Security (CrySyS)2 released updated reports identifying possible affected organizations, the dropper used to infect systems, and a new command and control (C&C) IP address. The below sections highlight the new information identified.

ICS-CERT is in the process of compiling and re-organizing all of the data in this alert for release in an upcoming advisory.

--------- End Update E Part 1 of 4 --------

ICS-CERT, in close coordination with Symantec and the original researchers, has determined after additional analysis that neither industrial control systems (ICSs) nor vendors/manufacturers were targeted by Duqu. In addition, as of October 21, 2011, there have been few infections, and there is no evidence based on current code analysis that Duqu presents a specific threat to ICSs.

--------- Begin Update E Part 2 of 4 --------

According to Symantec, they have confirmed six possible infected organizations in eight countries including France, Netherlands, Switzerland, Ukraine, India, Iran (2), Sudan, and Vietnam. Symantec notes the organizations are only traceable back to an ISP. Other security vendors have reported infections in Austria, Hungary, Indonesia, United Kingdom, and Iran. At this point, a comprehensive list of infected organizations is not available.

--------- End Update E Part 2 of 4 ----------

However, organizations should still remain vigilant against this and other sophisticated malware. ICS-CERT also recommends that the ICS community update intrusion prevention systems (IPSs) and antivirus systems to detect Duqu and other new threats.

ICS-CERT will continue to analyze the malware, monitor the threat landscape, and report additional information as appropriate. ICS-CERT will also continue coordination with Symantec, McAfee, the international community, and ICS stakeholders.

On October 18, 2011, Symantec released a Security Response Report3 describing W32.Duqu, an information-gathering threat targeting specific organizations, including ICSs manufacturers. According to Symantec, W32.Duqu does not contain any code related to ICSs and is primarily a remote access Trojan (RAT).

Symantec reports that the original sample of W32.Duqu was gathered from a research organization based in Europe and that additional variants have been recovered from a second organization in Europe. According to Symantec, the attackers are looking for information, such as design documents, that could potentially be used in a future attack on an industrial control facility.

This threat is highly targeted toward a limited number of organizations, apparently to exfiltrate data concerning their specific assets; the propagation method is not yet known. Symantec indicates that W32.Duqu is not self-replicating.

Symantec reports that other attacks could be ongoing using undetected variants of W32.Duqu. Symantec states that they are continuing to analyze additional variants of W32.Duqu.

--------- Begin Update E Part 3 of 4 --------

On November 1, 2011 the researchers, CrySyS, reported they had located the installer being used to infect systems. Symantec has updated their Security Response Report4 and described the installer as a Microsoft Word document (file extension: .doc) that exploits a previously unknown (0-day) kernel vulnerability. According to the report, Microsoft is working to issue a patch and advisory for this vulnerability.

Symantec’s report also indicates that the malicious Word document was specially crafted to target the intended receiving organization. This appears to support the assertion that Duqu was highly targeted.

Once infected, attackers can infect other computers in secure zones and control them through a peer-topeer
C&C protocol.

--------- End Update E Part 3 of 4 ----------

Key points from the report include:

  • The executables share some code with the Stuxnet worm, and they were compiled after the last Stuxnet sample was recovered.
  • There is no ICS specific attack code in the Duqu or infostealer.
  • The primary infection vector for Duqu deployment has not yet been discovered/recovered (Duqu does not self-replicate or  spread on its own).
  • The targeted organizations appear to be limited.
  • The malware employed a valid digital certificate (revoked as of October 14, 2011).
  • The malware is designed to self-delete after 36 days.
  • The Command and Control (C&C) servers are hosted in India (Specific IPs unknown at this time).

McAfee Labs5 has also published a blog entry on the Duqu malware.

ICS-CERT has reached out to Symantec and McAfee to obtain additional information to assess the threat and identify mitigations that manufacturers and asset owners can employ to reduce their risk to this new threat. ICS-CERT will publish more information as it becomes available.

On October 25, 2011, Kaspersky Labs released an article entitled “The Mystery of Duqu: Part Two” in which four additional Duqu infections were detected on their security network: one system in Sudan and three in Iran.

In addition, Kaspersky Labs has reported that the name and size of the driver file in the infections they analyzed differs from the previously reported file making it difficult for antivirus software to detect it. As of October 26, 2011, neither Kaspersky Labs nor ICS-CERT has copies of the new files making a full set of new indicators impossible to determine at this time. In addition, it is possible that the malware authors will continue to craft new variants to avoid detection.

Possbile Indicators

Duqu uses HTTP and HTTPS to communicate with a C&C server at 206.183.111.97.6 This server is located in India and has been disabled by the ISP. ICS-CERT strongly recommends that organizations check network and proxy logs for any communication with this IP address. If any communication is identified, please contact ICS-CERT for further guidance.

--------- Begin Update E Part 4 of 4--------

Symantec has identified a new C&C server that is hosted in Belgium. The IP address reported is 77.241.93.160. This C&C server has been disabled by the hosting provider.

Symantec has provided sample names and hashes for the files identified as part of this threat. Additional indicators from Contagio and Kaspersky are also listed below:

File NameMD5 Hash
cmi4432.pnf0a566b1616c8afeef214372b1a0580c7
netp192.pnf94c4ef91dfcd0c53a96fdc387f9f9c35
cmi4464.PNFe8d6b4dadb96ddb58775e6c85b10b6cc
netp191.PNFb4ac366e24204d821376653279cbad86
cmi4432.sys4541e850a228eb69fd0f0e924624b245
jminet7.sys0eecd17c6c215b358b7b872b74bfd800
Infostealer9749d38ae9b9ddd81b50aad679ee87ec

--------- End Update E Part 4 of 4 ----------

The Contagio website7 has also provided two new additional indicators as part of this threat.

File NameMD5 Hash
adpu321.sys3d83b077d32c422d6c7016b5083b9fc2
nfrd965.sysC9A31EA148232B201FE7CB7DB5C75F5E

--------- End Update D Part 3 of 4 ----------

Mitigation

The full extent of the threat posed by W32.Duqu is currently being evaluated. At this time, no specific mitigations are available; however, organizations should consider taking defensive measures against this threat. Specifically, ICS-CERT encourages organizations to:

  • Update antivirus definitions for detection of the Duqu Trojan.
  • Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.

--------- Begin Update D Part 4 of 4 --------
With new variants of Duqu reported on October 25, 2011, by Kaspersky Labs,8

  • Monitor for new and unknown services running on client machines. current antivirus software may not be able to identify all variants of this malware. Organizations should consider adding the following items to their network security plans:
  • Monitor systems on their network for new files added to system directories such as system32, and system32\drivers.
  • Monitor for network traffic anomalies; such as:
    • Beaconing to unknown IP addresses
    • Spikes in traffic
    • Outgoing binary files such as jpg
    • HTTP and HTTPS traffic from machines that do not have browsers installed.

--------- End Update D Part 4 of 4 ----------

Although the method of propagation has yet to be determined, the targeted nature of the thread would make social engineering a likely method of attack. ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:

  1. Do not click web links or open unsolicited attachments in e-mail messages
  2. Refer to Recognizing and Avoiding Email Scams for more information on avoiding e-mail scams.
  3. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.


Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  http://ics-cert.us-cert.gov 
or incident reporting:  https://ics-cert.us-cert.gov/Report-Incident?

The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top