Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Hackers may have spent years crafting Duqu

Gregg Keizer | Nov. 14, 2011
The hacker group behind Duqu may have been working on its attack code for more than four years, new analysis of the Trojan revealed Friday.

Symantec echoed that.

"There are multiple variants of Duqu and the samples Kaspersky have analyzed simply reflect this fact," said Eric Chien, technical director of Symantec's security response group, in an email reply to questions today. "Thus, we have no reason to believe there are conflicts between our analysis and the analysis published by Kaspersky. Their analysis is based on earlier versions, which would account for the earlier date."

Duqu has been characterized by Symantec and others as a possible precursor to the next Stuxnet, the ultra-sophisticated worm that last year sabotaged Iran's nuclear program.

While some have disputed that, Kaspersky is firmly in the Stuxnet-connection camp.

"This new analysis has made us more confident that Duqu was created by the same people behind Stuxnet," said Schouwenberg.

There are certainly differences -- Stuxnet was an attack tool, Duqu seems designed to be part of an intelligence-gathering operation -- but Schouwenberg said there were even more similarities. One such similarity: a line between Stuxnet and Duqu's infection process that, he said, showed the authors of the former learned important lessons that they then applied to the latter.

"They learned from Stuxnet, which was very 'noisy,'" said Schouwenberg, referring to the widespread infections of the worm that many believe was due to over-eager attackers who had been stymied in an earlier attempt to infiltrate Iran's nuclear facilities. Duqu takes a much more cautious approach; It exploits only one unpatched, or "zero-day" Windows vulnerability, not the unprecedented four used by the Stuxnet shotgun.

"Duqu is very sophisticated," said Schouwenberg. "Some mistakes were made in Stuxnet, but all those mistakes are gone now [in Duqu]."

More information about Duqu ( download PDF ) can be found on the website of U.S.-CERT, the cyber-defense agency that's part of the Department of Homeland Security, and in an updated report from Symantec ( download PDF ).



Previous Page  1  2 

Sign up for MIS Asia eNewsletters.