Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Malicious Code Alert

Trojan: W32.Duqu

 
Threat Type:IntelliShield: Malicious Code Alert
IntelliShield ID:24425
Version:3
First Published:2011 October 19 21:46 GMT
Last Published:2011 November 02 15:08 GMT
Port: Not available
Urgency:Possible use
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:IntelliShield has updated this alert to include information about a 0-day vulnerability in the Microsoft Windows platform that the W32.Duqu trojan could leverage to infect a targeted system.  ICS-CERT has also released a security alert with additional information regarding this trojan.
 
Aliases/Variants

Stuxnet 2.0, Stuxnet II

Virus Name:

W32.Duqu (Aliases include: W32/Duqu.A, W32/Duqu.B (FSecure))

 

Description
 

W32.Duqu is a remote access trojan that attempts to steal sensitive information, initiate remote application download, and provide back door access to a remote attacker.

Based on the samples collected from a research organization based in Europe, the malware shares source code similarities with W32/Stuxnet-B, documented in IntelliShield Alert 20915.? Reports suggest that W32.Duqu has been programmed with the intent of information gathering only, suggesting that it could be a precursor to forthcoming advanced attacks.? The malicious software could gather the following information:

  • Screenshots
  • Keypresses
  • Open Window names
  • Enumerated file information from shared, removable and all connected drives
  • System network and domain information
  • Lists of running processes, account details

W32.Duqu primarily consists of a driver file that is functionally equivalent with W32/Stuxnet-B, a DLL containing multiple embedded files, a configuration file, and a dropper program that installs these files on a targeted system.

The trojan communicates with its command and control center over HTTP and HTTPS protocols.? Server Message Block (SMB) command and control channel functionality has also been implemented that could also be used for communications.


Impact
 

W32.Duqu attempts to log user keystrokes, take screenshots at regular intervals, and other system related information such as a list of running processes, account details, and domain information, and network information.? Additionally, the malicious software could also log drive names and other shared or removable drive information, open window names, and directory information from all drives.? The malicious software may also initiate remote application download and act as a remote access trojan, granting back door access to an unauthorized, remote attacker.


Warning Indicators
 

On systems running Microsoft Windows, the presence of the following files and registry key modification may indicate an infection:

%Windows%\system32\Drivers\jminet7.sys
%SystemDrive%\inf\netp191.pnf
%SystemDrive%\inf\netp192.pnf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3\FILTER

A second variant of the W32.Duqu modifies the following file and registry key modification, indicating an infection:

%Windows%\system32\Drivers\cmi4432.sys
%SystemDrive%\inf\cmi4432.pnf
%SystemDrive%\inf\cmi4464.PNF
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmi4432

Presence of .tmp files in the %Temp% folder, prefixed with file name ~DQ could also indicate the presence of this trojan.

W32.Duqu could also try to perform a DNS lookup on the following domain: kasperskychk.dyndns.org

Personal firewall applications may display a notification message when W32.Duqu attempts to connect to the Internet to pass information to a remote attacker.

Host intrusion detection and prevention system software may display a notification when the trojan attempts to connect to the Internet to post information or download updates.


Technical Information
 

W32.Duqu primarily consists of a driver file that is functionally equivalent with W32/Stuxnet-B, a DLL containing multiple embedded files, a configuration file, and a dropper program that installs these files on a targeted system.

On execution, the installer registers the driver file (JMINET7.SYS/CMI4432.SYS) as a service so that the driver is executed at system startup.

The driver then injects the main DLL (NETP191.PNF/CMI4432.PNF) into a specified process, typically services.exe.? This process name and the DLL file path are retrieved from the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3\FILTER

The data stored within the registry subkeys are encrypted with a custom multiplication rolling key algorithm and are decoded using the encryption_key field contained.??By default, the process to be injected into is services.exe.? In addition to the above, the driver also verifies if the system not in Safe Mode and checks for the presence of process debuggers.

Subsequently, the main DLL (NETP191.PNF/CMI4432.PNF) begins execution by extracting certain other components.? These components are further injected into processes such as Explorer.exe, IExplore.exe and Firefox.exe.

An additional executable that acts as the main information stealer then could be downloaded by the trojan.

W32.Duqu is designed to remove itself after a period of 36 days.


IntelliShield Analysis
 

W32.Duqu shares a large amount of code with W32/Stuxnet-B, suggesting that they were created by someone having access to the W32/Stuxnet-B source code.  However, instead of sabotaging Supervisory Control And Data Acquisition (SCADA) and Industrial Control Systems (ICS), W32.Duqu appears to enable remote access and information-stealing capabilities.

To evade IPS and IDS detection and mask malicious communication between the command and control center, the trojan could upload and download random .jpg files.

The trojan also implements a driver file signed with a valid digital certificate that expires on August 2, 2012, that belongs to a company in Taipei, Taiwan. This certificate was revoked on October 14, 2011.

The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: Cisco Applied Mitigation Bulletin: Identifying and Mitigating the W32 Duqu Trojan

Reports indicate that this trojan leverages a 0-day vulnerability within the Microsoft Windows platform, documented in IntelliShield alert 24500, to install itself on the targeted system via Microsoft Word (.doc) files.

A Command and Control server, that uses a peer-to-peer protocol for communication with clients installed on infected systems, was found to be located in Belgium.  The server has an IP address of 77.241.93.160; however it has been currently disabled by the service provider.

Rule-based and application-based firewalls are likely to prevent or limit the impact of this trojan.  Rule-based firewalls are typically set up by an administrator for an entire network.  These firewalls are often set up to block all traffic entering and exiting a network except traffic traveling through ports needed for production.  Application-based firewalls are often found on client systems and can be configured to allow certain services and process to access the Internet or local network.  These firewalls can be configured to prompt a user each time a new process or service is attempting to access the Internet or local network.  Both types of firewalls may prevent malicious code from downloading updates or additional files.  The firewalls may also prevent the malicious code from contacting an attacker or website and from accessing local network resources.

Most host intrusion detection/prevention system software, such as Cisco Security Agent, can be configured to warn users when suspicious activity occurs on their systems.  This software can be configured to prevent this trojan from attempting to execute their infection routines.  Host intrusion detection/prevention system software may also be configured to prompt a user when suspicious activity occurs.  Often users can choose whether to allow or deny the activity in question.  These factors will limit the infection rate and impact on most systems.

Security best practices dictate that administrators should restrict file formats commonly associated with malicious code from entering the corporate network.  User education focused on avoiding malicious code attacks and responding in the case of infection is of equal importance.


Safeguards
 

Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.

Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.

Develop and maintain corporate policies and procedures to mitigate the risk of malicious code.

Block all file attachments except those that are specifically required for business purposes.

Use current and well-configured antivirus products at multiple levels in the environment. Configure antivirus products to scan all files and provide full-time or auto-protect functions. Configure antivirus products to scan three levels deep on compressed files.

Configure auto-update features to update daily or manually update antivirus signatures. Establish procedures for immediate antivirus updating in response to high-risk malicious code outbreaks.

Conservatively configure mail perimeter servers, routers, firewalls, and personal computers. Disable all unnecessary products, features, and sharing. Install all security-relevant patches and upgrades as available.

Configure network access controls to establish a default deny posture by limiting incoming and outgoing traffic and limiting network services to those required for business operations.

Establish supplemental protection for remote and mobile users. Include daily updated antivirus, personal firewalls, and network address translation on corporate routers or firewalls.

Provide initial and continuing education to all levels of users throughout the organization.


Patches/Software
 

The Symantec Security Response for W32.Duqu is available at the following link: Security Response.? The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec

The F-Secure Virus Description for W32.Duqu is available at the following link: Virus Description

ICS-CERT has released a security alert at the following link: ICS-ALERT-11-291-01E


Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
40106/0Duqu DNS ResolutionS6072011 Nov 03 
 
Alert History
 

Version 2, October 25, 2011, 12:44 PM: Intellishield has updated this alert to include information about a companion document released by the Cisco Applied Intelligence team.

Version 1, October 19, 2011, 4:46 PM: W32.Duqu is a remote access trojan that attempts to steal sensitive information, initiate remote application download, and provide back door access to a remote attacker.? Virus definitions are available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldMalicious Code Alert Original Release Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield