NEWS FROM THE LAB - Tuesday, October 18, 2011

Duqu � Stuxnet 2 Posted by Mikko @ 19:33 GMT

Big news today.

A new backdoor created by someone who had access to the source code of Stuxnet has been found.

Stuxnet source code is not out in-the-wild (only the binaries). Only the original authors have the source code. So, this new backdoor was created by the same party that created Stuxnet. For a refresher on Stuxnet — arguably the most important malware in history — see our Q&A.

Unlike Stuxnet, the new backdoor, known as Duqu, does not target automation or PLC gear. Instead, it's used for reconnaissance. Duqu collects various types of information from infected systems for a future attack. It's possible we'll eventually see a new attack based on the information gathered by Duqu.

The code similarities between Duqu and Stuxnet are obvious. Duqu's kernel driver (JMINET7.SYS) is actually so similar to Stuxnet's driver (MRXCLS.SYS) that our back-end systems actually thought it's Stuxnet:

Duqu / Stuxnet 2

Stuxnet drivers were signed with stolen certificate belonging to Taiwanese companies called RealTek and JMicron.

Duqu has a driver signed with a stolen certificate belonging to a Taiwanese company called C-Media Electronics Incorporation.


In addition of this signed driver, several other related unsigned driver files have been found, some of them claiming to be from JMicron or IBM:

jminet7.sys nfrd965.sys

The best research into Duqu so far has been done by Symantec. They've been at it for a while, and have today published a 46-page whitepaper on it.

Was Duqu written by US Government? Or by Israel? We don't know.

Was the target Iran? We don't know.

F-Secure antivirus detects Duqu generically with one of our Gen:Trojan.Heur detections.

P.S. By a coincidence, a website called ISS Source has today published a confused article talking about a new "Stuxnet-like worm" created by Google, Microsoft, and Oracle. We don't believe this article is accurate.

Updated the add: Our description with analysis of Duqu is now online.

SHA-1 hashes for the files referenced above:

jminet7.sys – d17c6a9ed7299a8a55cd962bdb8a5a974d0cb660
netp191.PNF – 3ef572cd2b3886e92d1883e53d7c8f7c1c89a4b4
netp192.PNF – c4e51498693cebf6d0cf22105f30bc104370b583
cmi4432.PNF – 192f3f7c40fa3aaa4978ebd312d96447e881a473
cmi4432.sys – 588476196941262b93257fd89dd650ae97736d4d
cmi4464.PNF – f8f116901ede1ef59c05517381a3e55496b66485
trojan-spy – 723c71bd7a6c1a02fa6df337c926410d0219103a

Edited to add: Corrections made and screenshots added.