Security vendor Kaspersky Labs has identified infections with the new Duqu malware in Sudan and Iran.
Duqu is believed to borrow code and functionality from the Stuxnet industrial sabotage worm.
It is a flexible malware delivery framework whose primary intention is data exfiltration.
The primary Trojan module has three components:
- a kernel driver, which injects a rogue DLL into system processes
- the DLL itself, which handles communication with the C&C server and other system operations
- a configuration file.
It’s secondary module is an information stealing keylogger.
It’s not known when the malware originally appeared in the wild, but the first sample was submitted to the VirusTotal service on Sept. 9 from Hungary. Kaspersky Labs has identified multiple variants. Several malware analysts have speculated quite differently as to the make-up and intent of this malware agent. There are at least 13 different driver files involved, adding to the confusion. Duqu appears to be intended for targeted attacks on carefully selected victims. So far there is no indication that any of the victims are linked to nuclear programs, as in the Stuxnet case.
Each Duqu infection has been unique, and contain components with different file names, checksums, and encryption keys, which means that existing detection methods of known DLL files may be challenged to deal with the threat. Duqu updates itself, changes C&C servers, and installs additional components in order to continue dodging detective controls.