Dell analysis questions previous research into Duqu

By Stuart Sumner
27 Oct 2011 View Comments
Concept image representing virus malware

A new report into the Duqu Trojan questions the previously accepted belief that it was created by the team behind the Stuxnet malware, which targeted Iran's nuclear programme last year.

The research, by Dell's SecureWorks team, found that although Duqu shares some traits with Stuxnet, the payloads, and therefore the goals, of the two pieces of software are very different.

Further reading

"Both Duqu and Stuxnet are highly complex programs with multiple components. All of the similarities from a software point of view are in the 'injection' component," wrote Dell researchers in the report.

"[But] the ultimate payloads of Duqu and Stuxnet are significantly different and unrelated," they concluded.

Earlier this month, leading security firm Symantec released a report suggesting that Duqu was built on Stuxnet code, possibly by the same authors.

But the Dell report suggests that there is no firm evidence to corroborate this claim.

"One could speculate the injection components share a common source, but supporting evidence is circumstantial at best and insufficient to confirm a direct relationship.

"The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level."

Security firm Kaspersky has noted in its news service that Duqu does not target industrial control systems, as Stuxnet did. In fact, the security industry as a whole seems at a loss to understand Duqu's purpose.

The Dell report states that the Trojan is designed to gather intelligence, but to what end, no one is currently able to say.

"Duqu facilitates an adversary's ability to gather intelligence from an infected computer and the network.

"[Dell] malware analysts have not identified any specific market segments, technologies, organizations or countries that are targeted by the Duqu malware."

Finally, the report makes the following recommendations to help protect enterprises from the Trojan:

  • Administrators should use host-based protection measures, including antivirus and anti-malware, as part of a holistic security process that includes network-based monitoring and controls, network segmentation and policies, user access, and controls.
  • A computer infected with Duqu may have files beginning with "~DQ" in Windows temporary directories.
  • Organizations may want to monitor egress traffic through proxy servers or web gateways and investigate network traffic that does not conform to the SSL (Secure Sockets Layer) specification.
  • Administrators should monitor their network for systems attempting to resolve Duqu-related domains or connect to Duqu C2 IP addresses for possible infection.

Reader comments
blog comments powered by Disqus
Newsletters
Windows 9 - what do you want?

What would your business require from Windows 9 "Threshold" to make it an attractive proposition?

35 %
5 %
10 %
6 %
44 %