Duqu contains a backdoor that steals information. Infostealers need to send the stolen info back somehow. Careful infostealers try to make the transfer look innocent in case somebody is watching network traffic. Duqu hides its traffic by making it look like normal web traffic.

Duqu connects to a server (206.183.111.97 a.k.a. canoyragomez.rapidns.com – which used to be in India) and sends an http request. The server will respond with a blank JPG image. After which Duqu sends back a 56kB JPG file called dsc00001.jpg and appends the stolen information (encrypted with AES) to the end of the image file.

Even if somebody is watching outbound traffic, this wouldn't look too weird.

Duqu components contain different JPG files. One of them is this:



It's a NASA picture of two galaxies colliding.

Why this picture?

Beats us.

Do any of our readers have any ideas?

Post your theories to the comments of this blog entry. Here's one theory to get you started.