IntelliShield has updated this alert to include information about a 0-day vulnerability in the Microsoft Windows platform that the W32.Duqu trojan could leverage to infect a targeted system. ICS-CERT has also released a security alert with additional information regarding this trojan.
W32.Duqu is a remote access trojan that attempts to steal sensitive information, initiate remote application download, and provide back door access to a remote attacker.
Based on the samples collected from a research organization based in Europe, the malware shares source code similarities with W32/Stuxnet-B, documented in IntelliShield Alert 20915. Reports suggest that W32.Duqu has been programmed with the intent of information gathering only, suggesting that it could be a precursor to forthcoming advanced attacks. The malicious software could gather the following information:
Screenshots
Keypresses
Open Window names
Enumerated file information from shared, removable and all connected drives
System network and domain information
Lists of running processes, account details
W32.Duqu primarily consists of a driver file that is functionally equivalent with W32/Stuxnet-B, a DLL containing multiple embedded files, a configuration file, and a dropper program that installs these files on a targeted system.
The trojan communicates with its command and control center over HTTP and HTTPS protocols. Server Message Block (SMB) command and control channel functionality has also been implemented that could also be used for communications.
Impact
W32.Duqu attempts to log user keystrokes, take screenshots at regular intervals, and other system related information such as a list of running processes, account details, and domain information, and network information. Additionally, the malicious software could also log drive names and other shared or removable drive information, open window names, and directory information from all drives. The malicious software may also initiate remote application download and act as a remote access trojan, granting back door access to an unauthorized, remote attacker.
Warning Indicators
On systems running Microsoft Windows, the presence of the following files and registry key modification may indicate an infection:
Presence of .tmp files in the %Temp% folder, prefixed with file name ~DQ could also indicate the presence of this trojan.
W32.Duqu could also try to perform a DNS lookup on the following domain: kasperskychk.dyndns.org
Personal firewall applications may display a notification message when W32.Duqu attempts to connect to the Internet to pass information to a remote attacker.
Host intrusion detection and prevention system software may display a notification when the trojan attempts to connect to the Internet to post information or download updates.
Technical Information
W32.Duqu primarily consists of a driver file that is functionally equivalent with W32/Stuxnet-B, a DLL containing multiple embedded files, a configuration file, and a dropper program that installs these files on a targeted system.
On execution, the installer registers the driver file (JMINET7.SYS/CMI4432.SYS) as a service so that the driver is executed at system startup.
The driver then injects the main DLL (NETP191.PNF/CMI4432.PNF) into a specified process, typically services.exe. This process name and the DLL file path are retrieved from the following registry key:
The data stored within the registry subkeys are encrypted with a custom multiplication rolling key algorithm and are decoded using the encryption_key field contained. By default, the process to be injected into is services.exe. In addition to the above, the driver also verifies if the system not in Safe Mode and checks for the presence of process debuggers.
Subsequently, the main DLL (NETP191.PNF/CMI4432.PNF) begins execution by extracting certain other components. These components are further injected into processes such as Explorer.exe, IExplore.exe and Firefox.exe.
An additional executable that acts as the main information stealer then could be downloaded by the trojan.
W32.Duqu is designed to remove itself after a period of 36 days.
IntelliShield Analysis
W32.Duqu shares a large amount of code with W32/Stuxnet-B, suggesting that they were created by someone having access to the W32/Stuxnet-B source code. However, instead of sabotaging Supervisory Control And Data Acquisition (SCADA) and Industrial Control Systems (ICS), W32.Duqu appears to enable remote access and information-stealing capabilities.
To evade IPS and IDS detection and mask malicious communication between the command and control center, the trojan could upload and download random .jpg files.
The trojan also implements a driver file signed with a valid digital certificate that expires on August 2, 2012, that belongs to a company in Taipei, Taiwan. This certificate was revoked on October 14, 2011.
Reports indicate that this trojan leverages a 0-day vulnerability within the Microsoft Windows platform, documented in IntelliShield alert 24500, to install itself on the targeted system via Microsoft Word (.doc) files.
A Command and Control server, that uses a peer-to-peer protocol for communication with clients installed on infected systems, was found to be located in Belgium. The server has an IP address of 77.241.93.160; however it has been currently disabled by the service provider.
Rule-based and application-based firewalls are likely to prevent or limit the impact of this trojan. Rule-based firewalls are typically set up by an administrator for an entire network. These firewalls are often set up to block all traffic entering and exiting a network except traffic traveling through ports needed for production. Application-based firewalls are often found on client systems and can be configured to allow certain services and process to access the Internet or local network. These firewalls can be configured to prompt a user each time a new process or service is attempting to access the Internet or local network. Both types of firewalls may prevent malicious code from downloading updates or additional files. The firewalls may also prevent the malicious code from contacting an attacker or website and from accessing local network resources.
Most host intrusion detection/prevention system software, such as Cisco Security Agent, can be configured to warn users when suspicious activity occurs on their systems. This software can be configured to prevent this trojan from attempting to execute their infection routines. Host intrusion detection/prevention system software may also be configured to prompt a user when suspicious activity occurs. Often users can choose whether to allow or deny the activity in question. These factors will limit the infection rate and impact on most systems.
Security best practices dictate that administrators should restrict file formats commonly associated with malicious code from entering the corporate network. User education focused on avoiding malicious code attacks and responding in the case of infection is of equal importance.
Safeguards
Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.
Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.
Develop and maintain corporate policies and procedures to mitigate the risk of malicious code.
Block all file attachments except those that are specifically required for business purposes.
Use current and well-configured antivirus products at multiple levels in the environment. Configure antivirus products to scan all files and provide full-time or auto-protect functions. Configure antivirus products to scan three levels deep on compressed files.
Configure auto-update features to update daily or manually update antivirus signatures. Establish procedures for immediate antivirus updating in response to high-risk malicious code outbreaks.
Conservatively configure mail perimeter servers, routers, firewalls, and personal computers. Disable all unnecessary products, features, and sharing. Install all security-relevant patches and upgrades as available.
Configure network access controls to establish a default deny posture by limiting incoming and outgoing traffic and limiting network services to those required for business operations.
Establish supplemental protection for remote and mobile users. Include daily updated antivirus, personal firewalls, and network address translation on corporate routers or firewalls.
Provide initial and continuing education to all levels of users throughout the organization.
Patches/Software
The Symantec Security Response for W32.Duqu is available at the following link: Security Response. The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec
The F-Secure Virus Description for W32.Duqu is available at the following link: Virus Description
ICS-CERT has released a security alert at the following link: ICS-ALERT-11-291-01E
Signatures
Cisco Systems Cisco Intrusion Prevention System (IPS) 6.0
Version 2, October 25, 2011, 12:44 PM: Intellishield has updated this alert to include information about a companion document released by the Cisco Applied Intelligence team.
Version 1, October 19, 2011, 4:46 PM:W32.Duqu is a remote access trojan that attempts to steal sensitive information, initiate remote application download, and provide back door access to a remote attacker. Virus definitions are available.
The security vulnerability applies to the following combinations of products.
Primary Products:
IntelliShield
Malicious Code Alert
Original Release Base
Associated Products:
N/A
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
