ProHoster > Blog > internet news > Duqu is a malicious matryoshka

Duqu is a malicious matryoshka

Introduction

On September 1, 2011, a file named ~DN1.tmp was sent to the VirusTotal website from Hungary. At that time, the file was detected as malicious by only two antivirus engines - BitDefender and AVIRA. This is how the story of Duqu began. Looking ahead, it must be said that the Duqu malware family was named after this file. However, this file is a completely independent spy module with keylogger functions, probably installed with the help of a malicious dropper downloader, and can only be considered as a “payload” downloaded by Duqu malware in the course of its operation, but not an integral part (module) of Duqu . One of the Duqu components was sent to the Virustotal service only on September 9th. Its distinguishing feature is a driver signed with a digital signature from C-Media. Some experts immediately began to draw analogies with another well-known example of malware - Stuxnet, which also used signed drivers. The total number of computers infected by Duqu, detected by various antivirus companies around the world, is in the tens. Many companies claim that Iran is again the main target, but judging by the geography of the distribution of infections, this cannot be said for sure.
Duqu is a malicious matryoshka
In this case, one should confidently speak only about another company with a newfangled word APT (advanced persistent threat).

Implementation procedure in the system

An investigation conducted by specialists from the Hungarian organization CrySyS (Hungarian Laboratory of Cryptography and System Security of the Budapest University of Technology and Economics) led to the discovery of an installer (dropper) through which the system was infected. It was a Microsoft Word file with an exploit for the vulnerability of the win32k.sys driver (MS11-087, described by Microsoft on November 13, 2011), which is responsible for rendering TTF fonts. The exploit's shellcode uses a font embedded into the document called 'Dexter Regular', and Showtime Inc. is credited as the creator of the font. As you can see, the creators of Duqu are not alien to a sense of humor: Dexter is a serial killer, the hero of the television series of the same name, filmed by Showtime. Dexter only kills (if possible) criminals, i.e. breaks the law in the name of the law. Probably, in this way, the developers of Duqu are ironic that they are engaged in illegal activities for good purposes. Sending letters by e-mail was carried out purposefully. For sending, most likely, compromised (hacked) computers were used as an intermediary to make tracking difficult.
The Word document thus contained the following components:

  • text content;
  • embedded font;
  • exploit silkcode;
  • driver;
  • installer (DLL).

In case of successful execution, the exploit's shellcode performed the following operations (in kernel mode):

  • a check for re-infection was performed, for this, the existence of the 'CF4D' key was checked in the registry at 'HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones1', if it was true, the shellcode completed its execution;
  • two files were decrypted - driver (sys) and installer (dll);
  • the driver was injected into the services.exe process and launched the installer;
  • at the end, the shellcode wiped itself with zeros in memory.

By running win32k.sys as the root user 'System', Duqu's developers elegantly solved the problem of both unauthorized launch and elevation (running under a user account with limited privileges).
The installer, after receiving control, decrypted three data blocks in memory containing:

  • signed driver (sys);
  • main module (dll);
  • installer configuration data (pnf).

In the installer configuration data, a range of dates was specified (in the form of two timestamps - start and end). The installer checked whether the current date falls into it, if not, it completed its execution. Also, in the installer configuration data, the names under which the driver and the main module were saved were indicated. In this case, the main module was saved on disk in encrypted form.

Duqu is a malicious matryoshka

To autostart Duqu, a service was created that uses a driver file that decrypts the main module on the fly, using keys stored in the registry. The main module contains its own configuration data block. At the first start, it was decrypted, the installation date was entered into it, after which it was encrypted again and saved by the main module. Thus, in the affected system, during a successful installation, three files were saved - the driver, the main module and its configuration data file, while the last two files were stored on disk in encrypted form. All decryption procedures were carried out only in memory. This complex installation procedure was used to minimize the possibility of detection by antivirus software.

The main module

Main module (resource 302), by information by Kaspersky Lab, written using MSVC 2008 in pure C, but using an object-oriented approach. This approach is uncharacteristic when developing malicious code. As a rule, such code is written in C in order to reduce the size and get rid of the implicit calls inherent in C ++. There is also a symbiosis here. Plus, an event-oriented architecture was used. Kaspersky Lab employees are inclined to the theory that the main module was written using a pre-processor add-on that allows you to write code in C in an object style.
The main module is responsible for the procedure for receiving commands from operators. Duqu provides several ways to interact: using the HTTP and HTTPS protocols, as well as using named pipes (pipe). For HTTP(S), the domain names of the command centers are specified, while it was possible to work through a proxy server - they were given a username and password. The channel is given an IP address and a channel name. The specified data is stored in the configuration data block of the main module (encrypted).
To use named pipes, a custom implementation of the RPC server was launched. It supported the following seven functions:

  • return the installed version;
  • inject dll into the specified process and call the specified function;
  • load dll;
  • launch a process by calling CreateProcess();
  • read the contents of the given file;
  • write data to the specified file;
  • delete the given file.

Named pipes could be used within the local network to distribute updated modules and configuration data between Duqu-infected computers. In addition, Duqu could act as a proxy server for other infected computers (which did not have access to the Internet due to firewall settings on the gateway). Some versions of Duqu lacked RPC functionality.

Known "payloads"

Symantec has identified at least four "payloads" loaded on command from the Duqu control center.
However, only one of them was resident and compiled as an executable file (exe), which was saved to disk. The remaining three were implemented as dll libraries. They were loaded dynamically and executed in memory without being saved to disk.

The resident "payload" was a spy module (infostealer) with keylogger functions. It was with sending it to VirusTotal that the work on the Duqu research began. The main spy functionality was in the resource, the first 8 kilobytes of which contained part of the photo of the galaxy NGC 6745 (for masking). It should be recalled here that in April 2012, some media published information (http://www.mehrnews.com/en/newsdetail.aspx?NewsID=1297506) that Iran was exposed to some kind of Stars malware, while the details of the incident were not disclosed. It is possible that just such a sample of the Duqu “payload” was discovered then in Iran, hence the name “Stars” (stars).
The spy module collected the following information:

  • list of running processes, information about the current user and domain;
  • list of logical drives, including network ones;
  • screenshots;
  • addresses of network interfaces, routing tables;
  • log file of keyboard keystrokes;
  • names of open application windows;
  • list of available network resources (sharing resources);
  • a complete list of files on all drives, including removable ones;
  • list of computers in the "networked environment".

Another spy module (infostealer) was a variation of the one already described, but compiled as a dll library, the functions of the keylogger, compiling a list of files and enumerating computers included in the domain were removed from it.
Next module (recognition) collected system information:

  • whether the computer is part of a domain;
  • paths to Windows system directories;
  • operating system version;
  • name of the current user;
  • list of network adapters;
  • system and local time, as well as the time zone.

Last module (lifespan extender) implemented a function to increase the value (stored in the configuration data file of the main module) of the number of days remaining until the end of the work. By default, this value was set to 30 or 36 days depending on the modification of Duqu, and decreased by one every day.

command centers

On October 20, 2011 (three days after the discovery was made public), Duqu operators conducted a procedure to destroy traces of the operation of the command centers. Command centers were hosted on hacked servers around the world - in Vietnam, India, Germany, Singapore, Switzerland, Great Britain, Holland, South Korea. Interestingly, all identified servers were running CentOS versions 5.2, 5.4, or 5.5. OSes were both 32-bit and 64-bit. Despite the fact that all files related to the operation of command centers were deleted, Kaspersky Lab specialists managed to recover some of the information in LOG files from slack space. The most interesting fact is that attackers on servers have always replaced the default OpenSSH 4.3 package with version 5.8. This may indicate that an unknown vulnerability in OpenSSH 4.3 was used to hack servers. Not all systems were used as command centers. Some, judging by the errors in the sshd logs when trying to redirect traffic for ports 80 and 443, were used as a proxy server to connect to the final command centers.

Dates and modules

A Word document distributed in April 2011, which was examined by Kaspersky Lab, contained an installer download driver with a compilation date of August 31, 2007. A similar driver (size - 20608 bytes, MD5 - EEDCA45BD613E0D9A9E5C69122007F17) in the document that got into the CrySys laboratory had a compilation date of February 21, 2008. In addition, Kaspersky Lab experts found the autorun driver rndismpc.sys (size - 19968 bytes, MD5 - 9AEC6E10C5EE9C05BED93221544C783E) dated January 20, 2008. No components marked 2009 were found. Based on the compilation timestamps of the individual parts of Duqu, its development could date back to early 2007. Its earliest manifestation is associated with the detection of temporary files of the form ~DO (probably created by one of the spyware), the creation date of which is November 28, 2008 (article "Duqu & Stuxnet: A Timeline of Interesting Events"). The most recent date related to Duqu is February 23, 2012, contained in an installer download driver discovered by Symantec in March 2012.

Information sources used:

series of articles about Duqu from Kaspersky Lab;
Symantec Analyst Report "W32.Duqu The precursor to the next Stuxnet", version 1.4, November 2011 (pdf).

Source: habr.com

Add a comment