Expert: Duqu Is a Custom Attack Framework

Trailrunner7 writes "All of the hype about Duqu being the next Stuxnet obscured many of the real facts about the new malware. It turns out that Duqu not only is essentially a customizable attack framework with separate modules for each target, but that it has been found on high-value networks in Iran and the Sudan. A detailed analysis of the Duqu malware files by Alex Gostev of Kaspersky Lab shows that the malware uses different drivers and modules for every target. 'It is obvious that every single Duqu incident is unique with its own unique files using different names and checksums. Duqu is used for targeted attacks with carefully selected victims,' Gostev said."

The Penaltimate Virus

[Anonymous Coward]

About 8 years ago I predicted that virus development would accelerate to the ultimate virus, namely:

- it would be incredibly stealthy
- it would use a modular framework of attack methods to breach systems
- it would be self-organizing, i.e. P2P style networking
- it would use heavily encrypted traffic

And now, we hear that it has come to pass. The penultimate virus, the 2nd to the last, is now here with us. Only minor refinements remain:

- it would self-probe defenses using a modular system. A wide variety of known vulnerabilities could then easily be matched to a specific module for attack. In essence, it no longer matters about attacking a single point. Instead, multiple points would be probed, and possibly attacked, at once.
- it would be able to use its P2P network setup to pull probes and attacks that are not at the breached machine, allowing modules to be spread out thinly across the entire network of peers. This has several advantages in that it hides all of the known attack vectors, while reducing the footprint of the actual virus itself.
- it would extend the P2P system by implementing a set of proxies. The idea is that the virus would eventually breach a border device, and noting that it was such, it would then enable a form of proxy back to the outside. This would allow for external penetration of a DMZ, and eventually, the interior network. Once inside the interior, it could use the proxies as a "lifeline" to go back and connect to the P2P network, allowing probes and attacks that were not carried by the originating virus to be available.

There are a few more points that I will not publicly discuss, or include here, because I don't want to provide even more bad ideas to the public. Despite that, it should be pretty clear that when these key points are implemented, we will have reached the end-game of worm/virus/malware security: a self-replicating, self-defending, self-organizing attack vector. It is just a matter of time before all un-patched systems can be compromised, regardless of vendor, platform, or implementation. Years of security neglect (in the form of labor and capital expenditures) by large businesses in their quests to secure "eternal profits with no losses" will come back some day to be repaid to them...in the form of complete destruction and/or compromise of their data.

It is time to withdraw some of our public Internet activity from view, and stand far back, away from what will eventually be a smoking crater. It is time for darknets to rise, for a gradual Exodus of those in-the-know, while the public stands around like sheep, waiting to be slaughtered by this chain of events. Get your data out of public systems, and start shielding yourself now.

The Internet in the United States, Europe, and most of Asia, as we know it, is fundamentally broken. We have broken it ourselves, and willingly did so for the sake of our current and only god, Money. Everyone that was online 20 years ago knew this would be the result, warned against it, and for their efforts, were ridiculed and mocked. And now...now Facebook knows more about you than your parents, the US Govt. is more than happy to secretly probe you via Google warrants, and your credit rating is soon going to join that smoking crater when your credit card is eventually stolen from the likes of Sony.

We warned you. You made the choice, you get to pay the price. KMFDM indeed.