Attack: Duqu

What you need to know about the Duqu threat

Overview

Attack Details
(Last Update:
Mar 21 12:31:43 CST 2012)

Beginning in mid-October 2011, McAfee Labs, along with a number of other vendors, were alerted to and began actively monitoring and acting upon reports of an emerging threat known as Duqu. It appears that the primary attack (the seeding and distribution of the malware) occurred in September and October.  On March 20, 2012, a new sample was discovered.

There are many reasons for the escalated concern and reaction to this particular threat.  In particular, the threat’s apparent relationship to the highly sophisticated Stuxnet attacks are reason enough to dig deeper and attempt to uncover the motivation, behavior, and overall effects of this threat.  Through this outlet, we aim to ensure that our customers are provided with the most accurate and critical information surrounding this threat.

  • Targeted attacks have been reported in Iran, England, Sudan, and the United States
    • Limited reports also indicate attacks in Austria, Hungary, and Indonesia
  • The executables share injection code with the Stuxnet worm and were compiled after the last Stuxnet sample was recovered.
  • The structure of Duqu is very similar to that of Stuxnet (using Portable Executable (PE) format resources)
  • There is no industrial control system–specific attack code in Duqu.
  • The primary infection vector is a malicious Microsoft Word document, which exploits a zero-day vulnerability in Microsoft Windows (CVE-2011-3402).

Common Questions and Answers

Q: How can we find out if we’re infected?
A: Update your DATs to at least 6501, ensure on-demand scans are working properly, and perform a full file system virus scan. Review McAfee ePO, anti-virus alerts, and network logs to identify compromised systems.

McAfee Solutions

Coverage for CVE-2011-3402 - Reference - Microsoft Security Advisory (2639658)

Malware / Network Behavior

AV / MWG

Detection for the PWS-Duqu family is available from the 6501 DATs (released October 16th) or later.  Related detections are PWS-Duqu, PWS-Duqu!Dat, PWS-Duqu!rootkit, and PWS-Duqu.dr.  Coverage under MWG (McAfee Web Gateway) is available in the current Gateway Anti-Malware Database Update.

Updated coverage provided for new samples in the 6656 DAT release (March 21).

Detection for the PWS-Duqu family is available in McAfee Labs Stinger Tool - Build 10.2.0.555 or later.

McAfee Network Security Platform Coverage for control server–related traffic is provided via existing signature Attack ID 0x45c02300, "Invalid SSL Flow Detected.", released June 2010. Coverage for associated domains, IPs, and URLs is provided via GTI (Global Threat Intelligence).
McAfee Vulnerability Manager The MVM release of November 2 includes a vulnerability check to determine if your systems are at risk.
McAfee Firewall Enterprise Coverage for associated domains/IPs is provided in deployments running the GTI component.
McAfee Application Control Runtime control of applications using Execution Control (only authorized programs can run) and Memory Protection (against remote code execution) help in protecting against this attack.  The kernel-based exploitation attempt, via malicious Word Document, is out-of-scope.

Vulnerability / Exploit-Specific

AV / MWG

Coverage for malicious documents, targeting CVE-2011-3402 is provided as “Exploit-CVE2011-3402” in the 6524 DATs, released November 8.

Updated coverage provided for new samples in the 6656 DAT release (March 21).

Detection for the malicious documents is available in McAfee Labs Stinger Tool - Build 20111111 or later.

McAfee Network Security Platform The UDS Release of November 4 provides coverage for HTTP Transmission of the malicious .DOC file.
McAfee Vulnerability Manager The MVM release of November 2 includes a vulnerability check to determine if your systems are at risk.
McAfee Firewall Enterprise Coverage for associated domains/IPs is provided in deployments running the GTI component.

Resources