Context
On the 1st September 2011, the Laboratory of Cryptography and System Security (CrySyS Lab) in Hungary discovered a new malware. This malware was called Duqu because it creates files with the prefix “~DQ”. According to Symantec reports, this malware infected many systems in a large world area including several European countries.
Infection vector
This malware uses a Microsoft Word zero-day vulnerability (a vulnerability that the supplier does not know). This vulnerability is located in the TrueType font parsing engine of Microsoft Word. The file used to parse this font is T2EMBED.DLL and the attacker uses malformed fonts to execute arbitrary code. The CVE for this threat is CVE-2011-3402. Duqu work-flow: First a Microsoft Word file is opened. Due to the vulnerability previously described, a driver (called JMINET7.SYS) is installed. It also installs the Duqu framework (DLL files, configuration files…). To be persistent, the driver is automatically loaded and injected into services.exe (the process that manages the services on Microsoft Windows).
Duqu’s goal
The goal of this malware is to steal information about SCADA systems. As the malware is based on a modular structure, nobody can say if a destructive plug-in can be used. To extract data, Duqu uses small jpeg (image) dummy files with encrypted data. The data is sent to command and control servers running under Linux and hosted all over the world (Germany, Belgium, China…). Stuxnet connection: Some similarities exist between Stuxnet and Duqu:
- It is installed by Microsoft Windows zero-day;
- Components are signed with stolen digital keys;
- The SCADA targets are the same; only the purpose is different.
More technical information about the Duqu’s keystroke module is available here.