Son of Stuxnet

The security industry is currently buzzing with talks about a threat dubbed as the precursor to the next STUXNET.

According to a Symantec analysis, portions of the code are very similar to STUXNET, and was likely written by the same cybercriminals as the well-known threat. Unlike STUXNET, however, Duqu does not have code that suggests it was developed to access SCADA systems. Instead, its final payload appears to be inclined toward information theft.

Duqu is made up of several components. The SYS file, which is detected as RTKT_DUQU.A, is responsible for activating the malware, and triggering the execution of its other routines. Based on analysis, however, the main goal of the said files is to establish a connection with its C&C server. It is said that Duqu delivered an information-stealing malware, detected as TROJ_SHADOW.AF, into the affected systems through this connection. We have also verified that DUQU has codes very similar to that of STUXNET.

Upon execution, TROJ_SHADOW.AF enumerates the processes currently running on the system. It also checks if it matches any of the following security-related processes:

avp.exe (Kaspersky)
Mcshield.exe (McAfee)
avguard.exe (Avira)
bdagent.exe (Bitdefender)
UmxCfg.exe (CA)
fsdfwd.exe (F-Secure)
rtvscan.exe and ccSvcHst.exe (Symantec)
ekrn.exe (ESET)
tmproxy.exe (Trend Micro)
RavMonD.exe (Rising)
If found, TROJ_SHADOW.AF launches the same process in a suspended state, then patches the malware code before resuming the execution. In effect, there will be two AV processes; the first being the original, and the second being the patched one.

TROJ_SHADOW.AF requires command lines in order to execute properly. Available commands include: collecting information on the affected system, terminating malware processes, and deleting itself. It can steal a wide array of information on any affected system, such as:

1. Drive information such as:

Drive device name
2. Screenshots
3. Running Processes and Owner of Running Processes
4. Network Information such as

IP address
IP routing table
TCP and UDP table
DNS Cache table
Local Shares
5. Local shared folders and connected users
6. Removable drives serial number
7. Window names
8. Information on open files on local computer using NetFileEnum

Upon execution, RTKT_DUQU.A decrypts a configuration file in its body to get the registry path containing the location of TROJ_DUQU.ENC, and the process where to inject the DLL. From our analysis, the decrypted registry path in the two samples are HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3 and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmi4432, respectively.

These registry paths contain the “FILTER” entry, which contains encrypted data which RTKT_DUQU.A will decrypt to get the path of TROJ_DUQU.ENC, as well as a process name where TROJ_DUQU.ENC will be injected.

Decrypting TROJ_DUQU.ENC results into a DLL file that is injected in the process specified in the registry. The decrypted DLL is detected as TROJ_DUQU.DEC. Once TROJ_DUQU.DEC is loaded, it accesses TROJ_DUQU.CFG to get configuration information.

Information contained in the configuration file include:

Service registry key
File path of component files
Websites it will try to connect to for DNS checking
Processes wherein TROJ_DUQU.DEC will inject itself into
TROJ_DUQU.DEC communicates with the C&C server to receive and execute commands. These commands include downloading other malicious files, which in this case, appears to be the infostealer TROJ_SHADOW.AF.

Enterprise networks are also protected from DUQU through the Trend Micro Threat Discovery Appliance, which detects the malware’s connection to the C&C server through the rule 473 TCP_MALICIOUS_IP_CONN. Also, Deep Security is able to detect the changes made inside the Drivers folder (%Window%\system32\drivers) by DUQU variants,through the rule Integrity Monitoring Rule: 1003517 – Microsoft Windows – System driver files modified.

One thought on “Son of Stuxnet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s