We discussed much of the unfolding Duqu attack in our previous post. Some new light has recently illuminated some missing pieces to this interesting attack.
Researchers at CrySys Labs in Hungary have disclosed information about a Word document that is purported to be the installer file for the Duqu attacks. The document loads a kernel driver after exploitation from a possible new zero-day vulnerability, which then loads a DLL into Services.exe to start the Duqu installation. This driver appears to have been compiled on Thu Feb 21 06:14:47 2008, according to the time stamp in its PE header. The driver is not signed, as it is loaded via the zero-day exploit that results in kernel memory access.
We have already seen several indications that this threat was related to Stuxnet in some form. When comparing the code of the first Duqu samples we received with older Stuxnet variants, we noticed several similarities, and even exact matches for some important functions such as the DLL-injection routine, decryption of strings and external modules, and management of tables for indirect API calls, among others. Due to the 2008 timeframe for the driver code in question, we have yet another clue, beside the zero-day exploit, that this code is likely based on the same base as Stuxnet, which reused old driver code in several cases while creating new exploits.
Detection has been added for these new malware to our existing Duqu coverage: PWS-Duqu, PWS-Duqu!rootkit, and PWS-Duqu!dat.
More to come as this tale unfolds!
By: Peter Szor and Guilherme Venere