The mystery of Duqu: Part Ten
At the end of the last year the authors of Duqu and Stuxnet tried to eliminate all traces of their activity. They wiped all servers that they used since 2009 or even earlier. The cleanup happened on October 20.
There were virtually no traces of Duqu since then. But several days ago our colleagues in Symantec announced that they found a new “in-the-wild” driver that is very similar to known Duqu drivers. Previous modifications of Duqu drivers were compiled on Nov 3 2010 and Oct 17 2011, and the new driver was compiled on Feb 23 2012.
So, the authors of Duqu are back after a 4 month break.
Duqu is back
The newly discovered driver does not contain any new functionality compared to its previous versions. The code contains only minor modifications, and they were most likely done to evade detection from antivirus programs and detection tools such as the CrySyS Duqu Toolkit. Here’s a list of changes compared to older versions:
• The code was compiled with different optimization settings and/or inline attributes of functions.
• The size of the EXE stub that is injected with the PNF DLL was increased by 32 bytes.
• The LoadImageNotifyRoutine routine now compares the module name with “KERNEL32.DLL” using hash checksums instead of simple string comparison.
• The size of the encrypted configuration block was increased from 428 to 574 bytes. There are no new fields in in the block, but the size of the registry value name (“FILTER”) field was increased. This makes the registry value name easily modifiable – probably for future use.
• The algorithm of the two subroutines that decrypt the encrypted config block, registry value and PNF DLL has been changed. This is the third known algorithm used in the Duqu encryption subroutines.
• The algorithm of the hash function for the APIs has changed. All the hash values were changed correspondingly.
Old hash function, used in previous versions of the Duqu driver:
New hash function:
The fact that the new driver was found in Iran confirms that most of Duqu incidents are related to this country.