Researchers Discover New Duqu Variant That Tries to Evade Antivirus Detection
By Lucian Constantin
Security researchers have discovered a new variant of the Duqu cyberespionage malware that was designed to evade detection by antivirus products and other security tools.
Researchers from Symantec announced the discovery of a new Duqu driver, the component responsible for loading the malware’s encrypted body, on Monday via Twitter. The driver is called mcd9x86.sys and was compiled on Feb. 23, said Vikram Thakur, principal security response manager at Symantec.
Originally discovered in October 2011, Duqu is related to the Stuxnet industrial sabotage worm, with which it shares portions of code. However, unlike Stuxnet, which was created for destructive purposes, Duqu’s primary goal is stealing sensitive information from particular organizations around the world.
The discovery of the new driver is a clear indication that the Duqu authors are continuing their mission, said Thakur. “No amount of public awareness about Duqu has deterred them from using it to accomplish their objective.”
“I think when you invest as much money as invested into Duqu and Stuxnet to create this flexible framework, it’s impossible to simply throw it away and start from zero,” said Costin Raiu, director of Kaspersky Lab’s global research and analysis team. “We always said that future variants of Duqu and Stuxnet will most likely be based on the same platform, but with enough changes to make them undetectable by security software. Indeed, this is the case here.”
The source code of the new driver has been reshuffled and compiled with a different set of options than those used in previous versions. It also contains a different subroutine for decrypting the configuration block and loading the malware’s body.
“We have seen this technique in October 2011, when the Duqu drivers were recompiled and bundled with new encryption subroutines, following the public disclosure,” Raiu said.
The Duqu variant most likely uses a new command and control (C&C) server, since all previously known ones were shut down on Oct. 20, 2011, Raiu said. However, neither Symantec nor Kaspersky researchers know the exact address of the new server, because they don’t have the component that contains that information.
“We do not have the full Duqu body, only the loader in the form of the driver. The loader does not contact the C&C directly, it only loads the main body which is stored in encrypted form,” Raiu said.
Even if the new server would be known, it would probably be configured in a manner that it wouldn’t allow anyone to get too close to the real attackers, Thakur said. The Duqu authors are confident that the malware will remain non-attributable, he said.
The organizations targeted by the new version are also unknown at the moment, but they’re probably the same ones as in previous variants, Raiu said.