- Tools & Templates
- Security Jobs
- Data Protection
- Identity & Access
- Business Continuity
- Physical Security
- Security Leadership
Duqu meets Dexter
Gostev wrote a pretty extensive analysis of Duqu on Friday. Duqu's makers have apparently been working on this malware since 2007 and have affection for fictional TV serial killer Dexter.
The shellcode of the exploit was contained in an embedded font processed by the win32k.sys system. The font was called Dexter Regular, and its creators were shown as Showtime Inc.
This is another prank pulled by the Duqu authors, since Showtime Inc. is the cable broadcasting company behind the TV series Dexter, about a CSI doctor who happens also to be a serial killer who avenges criminals in some post-modern perversion of Charles Bronson’s character in Death Wish.
The driver loaded by the exploit into the kernel of the system had a compilation date of August 31, 2007. The analogous driver found in the dropper from CrySyS was dated February 21, 2008. If this information is correct, then the authors of Duqu must have been working on this project for over four years!
As part of the investigation of the given incident we’ve established the entry points for penetration of the systems, dates of events, and several facts regarding the conduct of the attackers. This information allows one to date one of the waves of attack to mid-to-late April 2011. Key findings include:
- For every victim, a separate set of attack files was created;
- Each unique set of files used a separate control server;
- The attacks were conducted via e-mails with a .DOC file attached;
- The mail-outs took place from anonymous mailboxes, probably via compromised computers;
- At least one e-mail address is known from which the mail-outs were conducted -firstname.lastname@example.org;
- For each victim, a separate DOC file was put together;
- The vulnerability exploit was contained in the font called “Dexter Regular”;
- The attackers changed the shellcode, and varied the range of dates for possible infection;
- After penetration into a system the attackers installed extra modules and infected neighboring computers;
- The presence on the systems of the files ~DF.tmp and ~DQ.tmp unambiguously points to an infection by Duqu.
Due to privacy reasons and protection of the identity of the victim, we cannot share the source .DOC file with other parties.
Also, we are not at present disclosing the address of the control server for this variant of Duqu; however, we think that it is not functioning now and all critical information on it has already been deleted by the attackers. This is also the case for one more control server we have discovered. Information about the control servers will be published later.
We can say that there are at least 12 unique sets of Duqu files known to us at present. The variant discussed in this post has been named variant F. Detailed information on the other variants will be published later.
The post includes a lot of images and screen captures. Check it out, because it's among the best research we've seen on Duqu to date.
CSO's Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!
Get your morning news fix with the daily Salted Hash e-newsletter!
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.
- Prevent Mobile Devices from Loading Dangerous Code
- Expanding Your Security Perimeter: Common Sense for Navigating Today's Threat Landscape
- Continuous Monitoring and Mitigation -- the New InfoSec Frontier
- RSA Security Analytics Case Study
- VMware Cloud Credits Program
- Insights from the 2013 IBM Chief Information Security Officer Assessment
- Cloud-based Cyber Security: A Hybrid Approach to Threat Detection and DDoS Mitigation IDC Technology Spotlight
- How Identity and Access Intelligence Will Revolutionize IAM
- Leveraging Managed Security Services to Fight Growing Cybersecurity Threats
- Global IT Trends: IT Outsourcing Fuels Business Growth
- Defending Against Increasingly Sophisticated Cyber Attacks
- Rethinking Your Enterprise Security - Critical Priorities to Consider