Expert: Duqu Is a Custom Attack Framework

Trailrunner7 writes "All of the hype about Duqu being the next Stuxnet obscured many of the real facts about the new malware. It turns out that Duqu not only is essentially a customizable attack framework with separate modules for each target, but that it has been found on high-value networks in Iran and the Sudan. A detailed analysis of the Duqu malware files by Alex Gostev of Kaspersky Lab shows that the malware uses different drivers and modules for every target. 'It is obvious that every single Duqu incident is unique with its own unique files using different names and checksums. Duqu is used for targeted attacks with carefully selected victims,' Gostev said."

Who needs black hats?

[Toe, The]

We don't need black hat programmers anymore... we have government intelligence agencies to do all the malicious coding work.

Sounds like now your everyday hacker hardly needs to be more sophisticated than a script kiddie.

Re:

[derGoldstein]

You could always (ok, in the past ~10 years) get a more sophisticated tool (that you personally could not have come up with) and customize it to "your needs". Actually, computer viruses are most often described as "derivatives", since there are only so many original ideas that are truly effective. Even the LIOC [wikipedia.org], which was designed for a benign purpose, is used as a weapon.

I agree about the intelligence agencies part, but you could always do a lot of damage as a script kiddie if you knew how to use the rig

Re:

[EdZ]

That Duqu is a framework makes it seem to me more likely that it's a for-profit (i.e. criminal in origin) attack rather than a government-produced attack.
1) because it seems to be a rather popular way to monetise your virus-writing with little effort put into actually conducting attacks, and;
2) because it would require the hypothetical government program to be doing something in an efficient manner (and not tailor-making a virus to each target)

Re:

[gstoddart]

That Duqu is a framework makes it seem to me more likely that it's a for-profit (i.e. criminal in origin) attack rather than a government-produced attack.

I just find it more amazing that the people writing malware are using good coding practices to create supportable, maintainable code, which can be extended and generalized.

That implies a really high level or organization, diligence, and use of best practices ... that's hard to do in industry, let alone what one thinks of as your typical black-hat. Thou

Re:

[theArtificial]

That implies a really high level or organization, diligence, and use of best practices ... that's hard to do in industry, let alone what one thinks of as your typical black-hat. Though, that probably tells me that what I think makes up your typical black hat is probably completely meaningless.

You're just coming late to the party. While what you're saying is no doubt true it is nothing new even in the black hat community. Years ago Agobot [wikipedia.org] source was released enabling thousands of variants. This was around the time of the Valve compromise ~2004 era. If you're interested the code is out there... [megapanzer.com]

Re:

[RockDoctor]

That Duqu is a framework makes it seem to me more likely that it's a for-profit (i.e. criminal in origin) attack rather than a government-produced attack.

OR, it's a government-produced attack, but they decided that they wanted plausible deniability and so coded it far above their normal standards to deflect attention.

The question is not, "Am I paranoid?" It is "Am I paranoid enough?"

Antivirus / security companies

[vlm]

How do the big anti-virus / security companies coordinate their work so as not to offend their local government?

Or, as the conspiracy theorists have long claimed, are the virus writers and anti-virus writers merely different departments of the same company, which makes coordination inside at least one company pretty easy?

I would imagine anti-virus / security companies based in the US and Israel are probably not getting "attaboys" from their government for figuring out the latest Duqu thing.

Re:

[Baloroth]

The companies are in several different countries, so even if one doesn't want to look at malwarea virus (because they suspect it has government connections) someone else can and there is nothing local government can do. Diplomatic channels are right out, it would require semi-official acknowledgement of creating it. Even backroom channels would be dangerous.

Probably the people involved wouldn't even try to interfere, even with a local company. Too much possibility of it getting out. Keeping the malware low

Re:

[derGoldstein]

Or, as the conspiracy theorists have long claimed, are the virus writers and anti-virus writers merely different departments of the same company

For the life of me I can't find a direct reference right now, but this was proven to be true in the 90's. Some researchers found that code in an antivirus software was designed to look for patterns that only appeared months after its release (very specific patterns, not just behaviors). Maybe someone more versed in the field can point to the example, my Googling skills are failing me at the moment.

Re:

[Anonymous Coward]

I'm 99% certain this story is apocryphal. I've been hearing it for years now but I've never seen even a shred of evidence. Generally it comes out exactly like this, where whoever is telling it is certain it's true but they can't remember the name of the product, the vendor or the virus.

Re:

[hjf]

In the early 90s, in the small city where I live, there was an "outbreak" of 3 (three) viruses, and every computer was infected. Then some local guy "came up" with an antivirus that only worked against those 3 viruses... and was extremely overpriced. Like $100. And no other antivirus could clean those because the virus was unheard of in other places (the infection didn't make it to F-Prot, Norton, etc). Small city, no internet... Makes one think.

Re:

[elsurexiste]

Although anti-virus companies naturally have the talents to develop those viruses, they don't need to: there are plenty of less scrupulous people out there giving them work to do. Regarding your other point, the security crowd is quite cosmopolitan, so it shouldn't be surprising that foreigners figure it out before locals.

Re:

[jesseck]

Or, as the conspiracy theorists have long claimed, are the virus writers and anti-virus writers merely different departments of the same company, which makes coordination inside at least one company pretty easy?

You're right! The summary mentions Kaspersky... but not Symantec.

Re:

[Darinbob]

It's a bit like with spies and other clandestine operatives. The government doesn't acknowledge them if they're caught in the act. Ie, police may notice a break in at a hotel and arrest someone. Some governments may just have a guy in a black hat pay a visit to the prison and the arrested person walks free, other governments just sit back and let the trial play out, if the arrest is in a foreign countries there may be some diplomatic actions taken to get the person back (ie, spy exchange).

With Stuxnet no

Re:

[Gyorg_Lavode]

This made me think of Charlie Miller's Talk at Defcon 18 [defcon.org]. Basically, he sends out lots of remote access tools, but ensures redundance because he expects an amount of his code to get caught. I assume the Duqu writers did the same thing. So what if 1 RAT gets caught. Your sister malware lived on.

Re:

[Maow]

Wired had a great write up about Stuxnet [wired.com] (soon to be a book), in which this was written:

The sophistication of the code, plus the fraudulent certificates, and now Iran at the center of the fallout made it look like Stuxnet could be the work of a government cyberarmy -- maybe even a United States cyberarmy.

This made Symantec's sinkhole an audacious move. In intercepting data the attackers were expecting to receive, the researchers risked tampering with a covert U.S. government operation. Asked recently if th

Foreign policy request...

[fuzzyfuzzyfungus]

In order to Support Our Troops, could we try to have a few more sinister foreign policy developments in places with nice, temperate climates?

Re:

[pspahn]

in places with nice, temperate climates?

Our current understanding of global climate is too inadequate to make this practical.

By the time troops are ordered, deployed, and stationed, the local climate would have already changed leaving our troops with inappropriate supplies.

Instead, I suggest that we simply choose a few places that appear desirable and invade. That way we can set up proper infrastructure and build more permanent housing to accommodate the influx of population.

Re:

[Baloroth]

Sounds great! Maybe, I don't know, Cuba? [wikipedia.org]

Re:

[couchslug]

"In order to Support Our Troops, could we try to have a few more sinister foreign policy developments in places with nice, temperate climates?"

Cultures and people worth defending would be a plus too. One pleasant aspect of the Cold War for both the US and Soviets was that it was common to be deployed to defend places where the locals drank booze, smoked weed, liked to party and fuck, and favored secular governments.

It was a pleasure to defend NATO. Even the protesters who picketed my base were polite, thoug

Re:

[The_Steel_General]

Hellenikon?

Count Duqu

[camperdave]

Duqu not only is essentially a customizable attack framework with separate modules for each target, but it can penetrate high-value networks. You can use different names and checksums for targeted attacks on carefully selected victims. So remember, if you need to crack a network, you can count on Duqu.

oblig. sw ref.

[torgis]

count - Duku: 1, Centrifuges: 0.

Re:

[derGoldstein]

count - Duku: 1, Centrifuges: 0.

You mean Count Dooku [wikimedia.org]? That guy whot fought Yoda?

Re:

[derGoldstein]

Aw crap.

Wait, "sw" could mean anything! Yeah, I'm going with that defense.

Re:

[torgis]

I was curious about your reference to a Count Dooku fighting Yoda, so I watched all three Star Wars movies and never once did Yoda even pick up a weapon. So, sorry, I'm not sure what you're talking about.

Ah, ignorance is bliss. :-)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Nanosphere]

I see your Duku and raise you 1 Magneto (waved over Dukus harddrive)

Re:

[Oswald McWeany]

Obama One-Time Kenobe- waves hand:

"Iran, these are not the viruses you are looking for"

The real problem

[JoshuaZ]

The real problem with this sort of thing is the arms race that it inspires. Sure, one might not mind this sort of attack on Iran. But what happens in the next stage when China or Iran tries to do this to some other country? The problem with making new weapons is that the advantage they give only lasts until someone else has it. The collateral damage they do lasts indefinitely. This sort of lesson is especially true for something like this that can most easily target civillian assets.

Re:

[Anonymous Coward]

In the same way bombing a school is also not targeting civilians?

Re:

[downhole]

Who says that these things (Stuxnet and Duqu) are inspiring the arms race? Like China or Iran or whoever else are only capable of copying what the US (or whoever it was) does? The technology is out there, and it's going to be picked up eventually by every country that cares enough to influence world affairs. China sure looks to be more than capable of figuring out how to hack things regardless of what we or anyone else does. If these things were infact made by us - that looks like the way to bet, though it'

Re:

[jon3k]

But what happens in the next stage when China or Iran tries to do this to some other country?

Are you joking or is this your first day on slashdot? China has been on full scale assault mode for the last half a decade and that's being conservative. Put an IDS on the Internet sometime and just watch what happens.

How many instances?

[jamiesan]

We need to..... Count Duqu

Weaponized Malware

[chiph]

This is a pretty good indication that Duqu is weaponized malware -- being able to load modules specific to each target, where the target is (as far as anyone knows) foreign governments.

The Penaltimate Virus

[Anonymous Coward]

About 8 years ago I predicted that virus development would accelerate to the ultimate virus, namely:

- it would be incredibly stealthy
- it would use a modular framework of attack methods to breach systems
- it would be self-organizing, i.e. P2P style networking
- it would use heavily encrypted traffic

And now, we hear that it has come to pass. The penultimate virus, the 2nd to the last, is now here with us. Only minor refinements remain:

- it would self-probe defenses using a modular system. A wide variety of

Sudan?

[fnj]

There are high value "networks" in Sudan? Seriously? High value anything?