This post is also available in: עברית (Hebrew)
Earlier this year a new malware was detected in Kaspersky company’s labs which spread and affected the company’s systems.
Following this finding, the company launched a thorough investigation by the end of which, company researchers discovered a new species of malware whose capabilites suggest a high level of sophistication and advanced spying abilities.
Following this discovery, the company researchers updated relevant authorities around the world, after which more tainted systems were discovered across the U.S., England, Sweden, India and Hong Kong.
Further tests revealed that attackers used malware to spy after the Iran nuclear talk in hotels around Swiss and also in the 70 years for Auschwitz’s liberation events.
The Duqu2 is actually a new and updated variant of the infamous Duqu, hence its name.
Just to serve as a reminder, the Duqu malware is an advanced spyworm whose capabilites are gathering data (sensitive files, passwords, users details and more) and deleting files in the infected computer. Duqu had some obvious features, among them the use of Zero-Day hits of the Windows operating system (CVE-2011-3402) and using stolen certificates as disguise to bypass the information security system. In addition, Duqu had the ability to communicate in real-time with its operators for receiving instructions through a command server (C&C).
Duqu passed the sensitive information to its operators by creating files beginning with dq~ and sending them by mail or by disguised communication to a data gathering website disguised as an innocent website.
Beyond that, Duqu also used Jpeg files and encrypted folders to store secret data and transmit it. After 36 days of spying, Duqu deleted itself from the computers and systems without a trace.
Analyzing Duqu2 and it’s method of action reveals the following:
The structure of the malware:
Duqu2 is built of 2 parts, the first being a Backdoor which allows for a two-ways communication between the victim’s computer and the malware operators. The second part of the malware is made up of several modules that offer advanced intelligence gathering capabilities such as: mapping the network the victim’s computer is connected to, remote activation of means for electronic eavesdropping built in the victim’s computer (microphone/camera and such).
Ways of infecting the victims:
The initial method of the malware infection is unknown, but suspicion is that it was done by sophisticated, focused fishing mail. This suspicion is based on the fact that in the computers suspected as initial infection points, all browsing history and mail correspondance has been deleted.
The next stage of attack:
In order to plant the Duqu2 inside the victim’s computers, attackers used Zero-Day hits in the Windows Operating System which allows the domain user to simply expand their authorities to Administrator and there was also use in “pass the hash” to go through computer in the internal network and thus reaching the total of network resources.
We should point out that attackers protected the attacking worm so it survives the Microsoft Security Patch by having it presenting an “original” digital ceritifcate by Foxconn and others like it to prove its legality inside the system.
Once Administrator authorizations were granted, the attackers made several things to spread the malware inside the computerized network: they prepared coded installation packs for the malware disguised as legitimate installation pack for Windows MSI and spread them throughout the network. The means for spreading was by using a msiexec.exe (an operating system file used to install softwares). In addition, the attackers created a service in the network to run this installation pack as Task Schedular in the operating system.
Once the pack is running through the network computers, the pack was used as a loader for the rest of Duqu2 modules. From an inspection done, it seems that the installation pack contained about ten different modules allowing the spying capabilites mentioned later on.
It should be mentioned that the attackers were careful enough to use a number of encrypting algorithms and different file names in order to avoid detection by protections such as AntiVirus. This fact indicates a high level of sophistication and a deep understanding of the malware detection field by the attackers.
The Duqu2 orechestrator is the component for communication with the attackers C&C servers. Communication was done by Https protocol coded under the Self-signed Certificate. The attackers also used SME Network pipes protocols, TCP/IP link in designated protocol and also in Http protocol fpr passing encoded and encrypted information sealed inside Jpeg/GIF image files, as was done by Duqu.
Beyond the module orchestrator, the installation pack contained more spying moduled. The main ones being:
A module for gathering information on the computer and network it is on.
A module for seeking domains, mapping all severs and network shares in the domain.
A taping module designed to steal admin passwords from proccesses performed on the computer and through them, connect to more computers.
A remote desktop administration module that includes the ability to send and receive data to the desktop, move the mouse marker and photo the user’s desktop.
A module for detecting network sniffers working in the computerized platform (wireshark, tcpview, netstat sumpcap, perfmon and such).
A module allowing extracting information from databases.
Another part of the uniqeness and complexity of Duqu2 is that the attacking worm worked in the infected computer’s memory, meaning that it did not leave behind any trace (at the moment of turning the computer on and off, the worm disappears). In order to re-spread it after the computer was turned off and on, attckers infected highly available servers and from there sent the worm to machines with lower availability.
Duqu2 is the next generation of spyware. Its level of sophistication presents technological abilities that suggest that a country or some body with substancial resources was behind it.
A spelling mistake in the information gathering module suggests that the writer of the module does not speak English as a native-tongue, but there’s no way of knowing whether or not this mistake was put in on purpose.
In conclusion, we have no information today as to why the Kaspersky company computerized network was infected or who is behind it. So far, we have been exposed to a variety of theories regarding the attackers’ identity, but neither we nor anyone have any valid proof.
By Guy Dagan – manager of information and cyber security awareness
Mickey schauder – cyber warfare field