Stuxnet is probably the most well-known malware of our times. Its fame stems from the facts that it targeted a very specific industrial facility, namely a uranium enrichment plant in Iran, it aimed at physical destruction of uranium centrifuges, and it apparently accomplished its mission successfully. In addition to all these characteristics, IT security experts also appreciate its technical sophistication and the zero-day exploits that it used. Stuxnet was also an alarm to the developed world: it shed light on the capabilities of advanced attackers, and at the same time, on the numerous weaknesses of our computing infrastructure. Putting these two together, people started to feel hopelessly vulnerable.
Yet, unfortunately, Stuxnet is not a unique example for a highly sophisticated targeted threat, but there are numerous other pieces of malware of similar kind, including Duqu, Flame, Regin,… Among those, Duqu is particularly interesting, not only because we discovered it back in 2011, but because our analysis pointed out that – while Duqu’s objective is different – it has very strong similarities to Stuxnet in terms of architecture, code, and methods to achieve stealthiness. Today, it is widely believed within the IT security community that Duqu was created by the same attackers who created Stuxnet.
And now we have a new member of the same family!
By courtesy of Kaspersky Lab, in late May 2015 we received samples (more specifically two DLL files) of a new threat, with the hint that this might be related to the Duqu attacks. Our common understanding was that it would be interesting to figure out whether this new threat, dubbed “Duqu 2.0,” is indeed related to the old Duqu attack, and we in the CrySyS Lab should carry out an independent analysis for answering this question. In order to be able to perform an unbiased investigation, Kaspersky Lab did not share more details on their findings with us. The blog post on Duqu 2.0 from Kaspersky Lab can be found at https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/
After analyzing the samples that we received, we think that the attackers behind the Duqu malware are back and active. They reused code and ideas from Duqu in the new Duqu 2.0 malware, but at the same time, they also made modifications in order to render Duqu 2.0 undetectable by the old detection methods.
In our full report, available at http://www.crysys.hu/duqu2/duqu2.pdf, we point out numerous similarities that we discovered between Duqu and Duqu 2.0, including the following:
- Similar string decryption routines related to Anti-Virus product strings
- Similar methods, magic number, bug and file format related to files encrypted with AES by both threats
- Same non-standard CBC mode AES encryption used by both threats
- Extremely similar logging module with exactly the same magic numbers
- Similar C++-like coding and compiling style
Naturally, our report contains supporting details and analysis for all the similarities listed above.
Actually, it is not surprising that the attackers reused their old tools, as they have already invested a lot of design and development effort in them. What is perhaps more interesting that they could tweak and optimize their malware such that it was not detected by state-of-the-art defense mechanisms. In part, this is again due to the information asymmetry between the attackers and the defenders: the attackers had the possibility to read all published analysis reports about Duqu, so they knew what the defenders were prepared for, while the defenders typically know very little about the methods of the attackers. This seems to lead to an endless cat-and-mouse game, where the attackers always have an advantage. This also raises the far reaching questions of how much information the defenders should publish about newly discovered threats, and whether security-by-obscurity is perhaps not such an undesirable approach after all.