Wednesday, March 21, 2012

New Duqu Sample Found in the Wild

Via Symantec Security Response Blog (March 20, 2012) -

We recently received a file that looked very familiar. A quick investigation showed it to be a new version of W32.Duqu. The file we received is only one component of the Duqu threat however—it is the loader file used to load the rest of the threat when the computer restarts (the rest of the threat is stored encrypted on disk).


The compile date on the new Duqu component is February 23, 2012, so this new version has not been in the wild for very long. Checking the code we can see the authors have changed just enough of the threat to evade some security product detections, although this appears to have only been partially successful.


This is the first version of Duqu that we have found in 2012. Previously, we saw unique versions of Duqu released on the following dates:
  • 2010-11-03
  • 2010-11-03
  • 2011-10-17
We also saw evidence that older versions had been used.

Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active. Without the other components of the attack it is impossible to say whether any new developments have been added to the code since we last saw a release from the group in November 2011.


CrySyS Duqu Detector Toolkit v1.23
We are happy to introduce the Duqu Detector Toolkit v1.23 of CrySyS Lab as of 15/Mar/2012. Besides new versions of the previous detector tools that provide usability enhancements, we now also provide two brand new detector tools. The upgraded toolkit will provide better functionality for those who have already successfully used the former version.

No comments:

Post a Comment