minimal-minimal

PWS-Duqu

PWS-Duqu

Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Password Stealer
  • Protection Added: 2011-10-16
PWS-Duqu is a trojan with backdoor and information stealing capabilities. This threat has a lot of code in common with Stuxnet  which indicates it may be based on the same source code. The main difference is the fact that this malware does not target industrial control systems, but appears to be an information gathering tool.

Minimum Engine

5400.1158

File Length

Description Added

2011-10-16

Description Modified

2011-10-16

Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee

--- Updated 20 March 2012 ---

A new variant of this threat (W32/Duqu!rootkit) was recently discovered. Detection will be included in 6656 DAT files. The functionality of this new variant is similar to the original W32/Duqu!rootkit.

------

PWS-Duqu is composed of several modules, as it was common with Stuxnet. The first module is a SYS file that is installed as a system service and is responsible for starting the malware, decrypt and inject the secondary payloads into running processes. Currently, it's not known how the serice is installed, but most likely it is through a trojan dropper sent as an attachment, via drive-by downloads when accesing infected pages, or even manually installed through other methods.

The service is installed as a system service to start every time Windows boots -- even in safe mode. The registry changes that may indicate this malware is active may look like the ones below:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmi4432]
"Description"="cmi4432"
"DisplayName"="cmi4432"
"ErrorControl"=dword:00000000
"Group"="Network"
"ImagePath"="\\??\\C:\\WINDOWS\\system32\\Drivers\\cmi4432.sys"
"Start"=dword:00000001
"Type"=dword:00000001
"FILTER"=hex:a0,35,58,da,32,ee,d5,01,c0,15,8b,1f,4b,5c,d1,a1,0b,8b,e7,85,1c,7f,\
  6e,f2,ef,31,6a,18,3c,80,78,c7,d4,c5,50,90,7a,78,66,9d,6b,93,00,a1,f5,3d,26,\
  ce,cb,1c,1e,45,b0,ff,a0,dd,c0,a3,e8,58,31,0c,b2,a1,dd,11,37,ba,aa,1e,66,d3,\
  1f,b4,2f,e1,7c,eb,b6,a2,58,a0,25,62,77,b5,4c,d3,79,02,07,be,8f,bb,57,43,7c,\
  43,b5,d0,67,25,19,10,27,67,a5,15,38,9f,43

The FILTER parameter listed above is an encrypted data block that is used by the malware to find the second stage modules and the process to inject it.

The SYS files are detected by McAfee as PWS-Duqu!rootkit.

The second stage module are usually a set of two files with extension ".pnf" and it can be found in %Windir%\inf (where %Windir% usually indicate the folder where Windows is installed, usually C:\Windows).

One of the PNF files is decrypted and generates a DLL file. The other PNF file, once decrypted, contain the configuration used by the DLL to start the malicious payload.

The DLL is not written to disk, as the SYS file handle it in memory to inject into running processes. In test conditions, the DLL was always injecgted into a running instance of Services.exe.

Once the DLL is injected, it will in turn decode a third payload which is responsible for the malicious activities.

This DLL will be hidden from the OS, and it can be seen using forensic tools like GMER.

Once the DLL is started, it will try to contact the command and control server at the address below on ports 80 and 443:

  • 206.[removed].97

The request may look like the one below:

GET / HTTP/1.1
Cookie: PHPSESSID=o5ukre1ul0q6i2il1ij3ghi0j1
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)
Host: x.x.x.x

The PHPSESSID is encrypted message sent to the command and control server. The User-Agent is hardcoded and may be used to identify machines infected with this malware.

The malware is capable of executing several funnctions. Among them, it's able to download and execute more modules. A keylogger has been seen associated with machines infected with this, and the keylogger code shows many similarities with the other components, which may indicate it was a module download by the main component.

The keylogger will create a file in %TEMP% with name ~DQ<XXX>.tmp, where <XXX>may be any three leters or numbers. It is used to store the information collected.

The keylogger is able to collect different kind of information from the machine. Some of these informations include:

  • keystroke data
  • machine information
  • screenshots
  • file list for any disk
  • network shares
  • list of computers in same network

McAfee detect the malicous DLLs and Keylogger components as PWS-Duqu and PWS-Duqu.dr

 

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

The method of infection for PWS-Duqu is not know at the moment, but may include the normal method used by trojan to replicate, such as spreading manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

The malware leave very few traces on the system since almost all components work from memory. The signs of infection can be:

  • Network connections to the network address listed above
  • Presence of orphan DLLs in memory with no files associated as explained above.
  • Presence of the keylogger data file as listed above
  • Presence of services with the FILTER parameters as shown above.