Home -> Resources -> Duqu

Duqu Reference Material

The following material was compiled from a variety of relability sources, and contains information covering the various aspects of the Win32.Duqu worm. If you find anything new and useful, including some sample binary code, please email me.

How Duqu Works (Detailed Analysis and Reports)

W32.Duqu: The Precursor to the Next Stuxnet - Version 1.4 - published by Symantec Nov. 23, 2011
W32.Duqu: The Precursor to the Next Stuxnet - Version 1.3 - published by Symantec Nov. 1, 2011
W32.Duqu: The Precursor to the Next Stuxnet - Version 1.2 - published by Symantec Oct. 20, 2011
W32.Duqu: The Precursor to the Next Stuxnet - Version 1.1 - published by Symantec Oct. 19, 2011
W32.Duqu: The Precursor to the Next Stuxnet - Version 1.0 - published by Symantec Oct. 18, 2011
McAfee Threat Research and Analysis Report - McAfee
McAfee Threat Analysis and Information Website - PWS-Duqu - McAfee
McAfee Threat Analysis and Information Website - PWS-Duqu.dr - McAfee
McAfee Threat Analysis and Information Website - PWS-Duqu!rootkit - McAfee
McAfee Threat Analysis and Information Website - PWS-Duqu!dat - McAfee
Duqu - Steal Everything - Kaspersky
Duqu Trojan Questions and Answers - Dell SecureWorks
Duqu Wikipedia Page

Industrial Control System
Cyber Emergency Response Team (ICS-CERT)

JSAR-11-312-01 - published Nov. 8, 2011
ICS-ALERT-11-291-01E - published Nov. 1, 2011
ICS-ALERT-11-291-01D - published Oct. 26, 2011
ICS-ALERT-11-291-01CP - published Oct. 24, 2011 - FOR OFFICIAL USE ONLY
ICS-ALERT-11-291-01B - published Oct. 21, 2011
ICS-ALERT-11-291-01A - published Oct. 19, 2011
ICS-ALERT-11-291-01 - published Oct. 18, 2011

Detection and Removal Tools

CrySys Duqu Detector Toolkit - v1.02 released Nov. 15, 2011 [mirror here on SCADAhacker]
CrySys Duqu Detector Toolkit - v1.01 released Nov. 10, 2011 [mirror here on SCADAhacker]
NSS Labs ( Blog Post / Download Tool ) - released Nov. 3, 2011
Microsoft Support KB 2639658 [includes Fixit tool] - released Nov. 3, 2011

Blogs and Ports of Interest (most recent first)

Added January 4 (time for an update!):
Four Takeaways from the Stuxnet-Duqu Connection - DarkReading - posted 1/2/12 [four points worth noting in protecting ICS/SCADA/DCS systems as well!]
Kaspersky Lab Experts: Duqu and Stuxnet Not the Only Malicious Programs Created by the Responsible Team - Kaspersky - posted 12/29/11 [describes the "Tilded" platform and how it was possibly used in both sets of malware, plus three "unknown" pieces of malware yet discovered.]
The Myster of Duqu: Part Seven: The Evolution of Drivers - SecureList/Kaspersky Expert - posted 12/28/11 [blog entry by Alexander Gostev (Chief Security Expert) discusses his findings that "the platform used to create Duqu and Stuxnet is the same".]
The Mysterty of Duqu: Part Six - SecureList/Kaspersky Expert - posted 11/30/11 [this entry looks at the C&C infrastructure used by Duqu, stating more than a dozen C&C servers estimated active]
Duqu Analysis Shows ICS-SCADA Networks Vulnerability - InfoSec Island - posted 12/15/11 [summarizes ENISA report on Duqu available here]
Microsoft fixes Duqu Hole - CNet - posted 12/13/11 [Elinor Mills summarizes this months MS update, and provides an informative graph on security bulletin severity over the period 2004-2011]
Beyond Stuxnet and Duqu: Security Implications to Our Infrastructure - Symantec - posted 12/12/11 [excellent report that ties in ICS/SCADA/DCS security to threats like Duqu]
Attackers Clean Out Duqu Servers - ISSSource - posted 12/5/11 [hackers behind Duqu have shutdown their snooping operation, and removed all of the 12 known C&C servers]

Added November 24:
How the Duqu Authors May Have Erred - Threat Post [looks at likely scenario that Stuxnet and Duqu were created by the same team, their targets, and some potential errors they may have made]
Anatomy of the Duqu Attacks - Threat Post [first in two part series with Costin Raiu from Kaspersky]
Cyber attacks on critical infrastructure reach U.S.  - Homeland Security Newswire [questionable sources, implies Israel for both Stuxnet and Duqu and attributes missile explostion in Iran to Duqu]
Israel's Secret Attack Plan: Electronic Warfare - Daily Beast [vulnerability of Iran grid and susceptibility to Stuxnet-like attack]
Kaspersky Press Release Page for Duqu - Kaspersky [very good site of reference links to their posts, podcasts, media, etc.]

Added November 15:
The Mystery of Duqu: Part Five - SecureList/Kaspersky Expert [more new analysis, including look at the payload]
Security researcher says Iran to blame for its own Duqu infections - ComputerWorld [Iran not sharing samples of malware hinder response efforts]
Iran Admits Nuclear Sites Hit by 'Duqu' Cyberweapon - FoxNews [Iran admits Duqu hits nuclear sites]

November 13:
Iran says has detected Duqu computer virus - Reuters [Iran fighting Duqu with success]
Ramping up U.S. Cybersecurity - Politico [Janet Napolitano talks about what DHS is doing to help protect U.S. from cyber-villians]

Added November 11:
The Duqu Saga Continues: Enter Mr. B Jason and TV's - SecureList/Kaspersky Expert [more on similarities with "Stars" (remember the galaxy JPG in Duqu!) and new detailed analysis of Penetration and Collecting Info]

Added November 10:
Part Two: Duqu: father, son, or unholy ghost of Stuxnet? - SC Magazine [analysis by USAF Cyberspace Officers] Contributed by @RobertMLee
Duqu and Rumors of War - ISSSource [implicates Obama had knowledge of Duqu and its applicability in Libya]
Open-Source Toolkit Tracks Down Duqu Infections - IDG News reported by PC World [new toolkit by CrySys]

Added November 9:
Duqu spawned by 'well-funded team of competent coders' - UK Register [look at team of developers and steganographic techniques]
ICS-CERT Updates Duqu and Adds CitectSCADA Advisory - Chemical Facility News ["Stars" is missing from US-CERT report]
Live Hacking [another reference tag with links to related Duqu posts]

Added November 7:
Duqu and Stars: Proceed with Caution - Robert M. Lee via InfoSec Island [raises doubt about Duqu similarities with Stars]
Cyber-Espionage, Duqu Trojan Lead Week's Security News - eWeek [brings Duqu, Nitro and other events together regarding cyber espionage]
Duqu FAQ (Updated) - SecureList/Kaspersky Export [faqs]
India shuts server linked to Duqu computer virus (updated) - Reuters [tracks C&C server lease to client in Milan, Italy]

Added November 6:
Microsoft Sloppy on Duqu Workaround - ComputerWorld [must read before implement MS workarounds]
Product Watch: New Free Duqu Scanner Released - Dark Reading [NSS Labs detection/removal tool]

Added November 5:
Duqu First Spotted as 'Stars' Malware in Iran - SecureList/Kaspersky Expert [similar to "Stars", created to spy on Iran]
Duqu: father, son, or unholy ghost of Stuxnet? - SC Magazine [analysis by USAF Cyberspace Officers] Contributed by @RobertMLee

Added November 3:
Microsoft Releases Workaround for Kernel Flaw used by Duqu - ThreatPost [includes advisory and fixit tool]
Microsoft releases Security Advisory 2639658 - Microsoft TechNet Blogs
The Mystery of Duqu: Part Three - SecureList/Kaspersky Expert [corrections, notes on dropper, theory of author]

Previous Posts:
What is Duqu up to? - Dark Reading [searching for answers]
Duqu Malware: Still No Patch - Information Week [Stuxnet-like SMB infection mechanism]
Windows kernel 'zero-day' found in Duqu attack - ZD Net [MS Security Response acknowledges 0-day]
Duqu: Status Updates Including Installer with Zero-Day Exploit Found - Symantec [diagram of dropper and infection map]
Duqu Installer Contains Windows Kernel Zero Day - Threat Post [dropper only works for 8 days in August]
Spotted in Iran, trojan Duqu may not be "son of Stuxnet" after all - ARS Technica [believes not related to Stuxnet]
New Analysis Questions Origin of Duqu Trojan - ThreatPost [intro to Dell report, other adds]
Win32/Duqu: It's A Date - ESET [offers insight and tools into config decryption]
Duqu registers no alarm for Siemens, infection hits Indonesia - Jakarta Post [target identification]
Duqu: Another Reason to Invest in Cyber Security - InvestmentU [target identification]
The Mystery of Duqu: Part Two - SecureList/Kaspersky Expert [read conclusion! new target info & drivers]
Duqu Updated Targeting Information - Symantec [insight into intented targets]
W32.Duqu: The Precursor to the Next Stuxnet - Symantec
Why Does Duqu Matter? - EmptyWheel [more details on target identification]
Duqu Status Update #1 - Symantec [initial researcher name disclosed]
The Mystery of Duqu: Part One - SecureList/Kaspersky Expert [details on both Stuxnet & Duqu]
What is the "adpu321.sys" - System Explorer [details of adpu321.sys]
Does Anyone Want Sourcecode to Stuxnet? - SCADAhacker [references to useable code]
Duqu, Son of Stuxnet, Destroyer of Worlds! - eEye chief researcher Marc Maiffret [discredits similarities with Stuxnet]
Duqu FAQ - SecureList/Kaspersky Export [faqs]
Duqu: Not the Son of Stuxnet, but the Vanguard of a New Generation? - Malware City [questions similarity to Stuxnet]
Son of Stuxnet Found in the Wild on Systems in Europe - Threat Level/Wired [one of early breaking stories]
The Day of the Golden Jackal – The Next Tale in the Stuxnet Files: Duqu Updated - McAfee [early analysis]
Virus Experts Warn of Stuxnet Variant "Duqu" - ThreatPost [early release]
Evidence of Infected SCADA Systems Washes up in Support Forums - ThreatPost

Stars Worm/Malware

New Stars Malware said to Target Iran - Apr. 25, 2011 - ThreatPost
Iran Target of New Cyber Attack - Apr. 25, 2011 - Mehrnews.com
CVE-2011-3402

Microsoft Security Response Center

Microsoft Security Bulletin MS11-087
Security Advisory 2639658 - Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege
Microsoft Support KB 2639658 [includes Fixit tool]
Microsoft Malware Protection Center - Win32/Duqu.A [alias: McAfee PWS-Duqu]
Microsoft Malware Protection Center - Win32/Duqu.B
Microsoft Malware Protection Center - Win32/Duqu.C
Microsoft Malware Protection Center - Win32/Hideproc.G [alias: McAfee PWS-Duqu.dr]
Microsoft Malware Protection Center - WinNT/Duqu.A [alias: McAfee PWS-Duqu!rootkit]
Microsoft Malware Protection Center - WinNT/Duqu.B [alias: McAfee PWS-Duqu!rootkit]

Other Valuable Information

CVE-2011-3402
Laboratory of Cryptography and System Security (CrySyS) - Budapest Univ. of Tech & Econ
What does Duqu – and future zero-day threats – mean to your organization? - Webcast - originally recorded Oct. 25, 2011
Stuxnet Malware Analysis - Amr Thabet - published Sept. 9, 2011 (website, MrxNet.sys source)

Diagrams

Driver Evolution from 2008 to 2011 (Kaspersky)
Source: Kaspersky (SecureList)
Duqu Infection Process (Kaspersky)
Source: Kaspersky (SecureList)
Duqu Infection Schematic (Symantec)
Source: Symantec

Duqu Main Components (CrySys)
Source: CrySys

Interacting Galaxy System NGC 6745

Source: NASA

Facts at a Glance

Attribute Duqu Stuxnet
Composed of multiple modules Yes Yes
Rootkit to hide its activities Yes Yes
System driver is digitally signed Yes
(C-Media)
Yes
(Reaktek, JMicron)
System driver decrypts secondary modules in PNF files Yes Yes
Decrypted DLLs are ditectly injected into system processes instead of dropped to disk Yes Yes
Data senstive: functionality is controlled via complex, encrypted configuraiton file Yes
(36 days)
Yes
Use XOR based encryption for strings Yes (key: 0xAE1979DD) Yes (key: 0xAE1979DD)
Referencing 05.09.1979 in configuration file (http://en.wikipedia.org/wiki/Habib_Elghanian) Yes
(0xAE790509)
Yes
(0xAE790509)
New update modules via C&C Yes
(keylogger)
Yes
Known module to control PLC/SCADA systems No Yes
Infection Methods Unknown USB (Universal Serial Bus)
PDF (Portable Document Format)
Dropper Characteristics Installs signed kernel drivers
to decrypt and load DLL files
Installs signed kernel drivers
to decrypt and load DLL files
Zero-days used None yet identified Four
Command and Control HTTP, HTTPS, Custom HTTP
Self propagation None yet identified P2P (Peer to Peer) using RPCs
(Remote Procedure Call)
Network Shares
WinCC Databases (Siemens)
Data exfiltration Add-on, keystroke logger for
user and system info stealing
Built-in, used for versioning
and updates of the malware
Date triggers to infect or exit Uninstalls self after 36 days Hard coded, must be in the following range:
19790509 => 20120624
Interaction with control systems None Highly sophisticated interaction
with Siemens SCADA control systems

Table 1. Comparison of Duqu and Stuxnet

Source: Dell / McAfee


Name File Size MD5
jminet7.sys 24,960 bytes 0eecd17c6c215b358b7b872b74bfd800
netp191.pnf 232,448 bytes b4ac366e24204d821376653279cbad86
netp192.pnf 6,750 bytes 94c4ef91dfcd0c53a96fdc387f9f9c35
cmi4432.sys 29,568 bytes 4541e850a228eb69fd0f0e924624b245
cmi4432.pnf 192,512 bytes 0a566b1616c8afeef214372b1a0580c7
cmi4464.pnf 6,750 bytes e8d6b4dadb96ddb58775e6c85b10b6cc
<unknown>
(sometimes referred to as keylogger.exe)
85,504 bytes 9749d38ae9b9ddd81b50aad679ee87ec
nfred965.sys 24,960 bytes c9a31ea148232b201fe7cb7db5c75f5e
nred961.sys unknown f60968908f03372d586e71d87fe795cd
adpu321.sys 24,960 bytes 3d83b077d32c422d6c7016b5083b9fc2
iaStor451.sys 24,960 bytes bdb562994724a35a1ec5b9e85b8e054f

Table 2. Byproducts of Duqu

Source: Dell

Contributors

SCADAhacker  would like to thank the following individuals for contributing to the content provided on this page:

     @RobertMLee
     @Shotoz