Intel Security

Attack: Duqu

Overview

Attack Details

Beginning in mid-October 2011, McAfee Labs, along with a number of other vendors, were alerted to and began actively monitoring and acting upon reports of an emerging threat known as Duqu. It appears that the primary attack (the seeding and distribution of the malware) occurred in September and October. On March 20, 2012, a new sample was discovered.

There are many reasons for the escalated concern and reaction to this particular threat. In particular, the threat’s apparent relationship to the highly sophisticated Stuxnet attacks are reason enough to dig deeper and attempt to uncover the motivation, behavior, and overall effects of this threat. Through this outlet, we aim to ensure that our customers are provided with the most accurate and critical information surrounding this threat.

  • Targeted attacks have been reported in Iran, England, Sudan, and the United States.
    • Limited reports also indicate attacks in Austria, Hungary, and Indonesia.
  • The executables share injection code with the Stuxnet worm and were compiled after the last Stuxnet sample was recovered.
  • The structure of Duqu is very similar to that of Stuxnet (using Portable Executable format resources).
  • There is no industrial control system–specific attack code in Duqu.
  • The primary infection vector is a malicious Microsoft Word document, which exploits a zero-day vulnerability in Microsoft Windows (CVE-2011-3402).

Find Out if Your System is Infected
Update your DATs to at least 6501, ensure on-demand scans are working properly, and perform a full file system virus scan. Review McAfee ePolicy Orchestrator, anti-virus alerts, and network logs to identify compromised systems.