Duqu 2.0 Makes Other Malware Look Clunky
The Duqu 2.0 and run an entire chackers “are confident enough to createyberespionage operation just in system memory, and can survive within an entire network of compromised computers without relying on any persistence mechanism at all,” remarked Kurt Baumgartner, principal security researcher at Kaspersky Lab. “That approach is much more sophisticated and demonstrates a different mentality.”
Kaspersky discovered Duqu 2.0 after the malware penetrated its own internal networks.
“The philosophy and way of thinking of the Duqu 2.0 group is a generation ahead of anything seen in the APT world,” said Kurt Baumgartner, principal security researcher at Kaspersky.
“Its level of sophistication surpasses even the Equation Group — supposedly the ‘crème de la crème’ in this sphere,” he told TechNewsWorld.
The Equation Group, a secretive computer espionage gang widely suspected of having ties to the United States National Security Agency, has infected the computer systems of at least 500 carefully selected targets in 42 countries, Kaspersky reported earlier this year.
Son of Duqu
Israel reportedly used Duqu 2.0 to spy on the U.S.-Iran nuclear talks.
Israel and the United States are believed to have been behind Stuxnet.
“Attribution of cyberattacks over the Internet is a difficult thing,” Baumgartner said.
The creators of Duqu 2.0 “use multiple proxies and jumping points to mask their connections, [which] makes tracking an extremely complex problem,” he explained.
“However, we are absolutely sure that Duqu 2.0 is an updated version of the infamous 2011 Duqu malware, which is associated with an APT group that went dark in 2012.”
Why Duqu 2.0 Is Dangerous
Duqu 2.0 exists only in system memory, making detection by antimalware software difficult, Baumgartner said.
Unlike other malware, it does not connect directly to command-and-control servers to receive instructions. Instead, it infects network gateways and firewalls by installing malicious drivers that proxy all traffic from internal networks to its C&C servers, he noted.
That makes discovery even more difficult.
The hackers “are confident enough to create and run an entire cyberespionage operation just in system memory, and can survive within an entire network of compromised computers without relying on any persistence mechanism at all,” Baumgartner remarked. “That approach is much more sophisticated and demonstrates a different mentality.”
Further, the creators of Duqu 2.0 use unique encryption algorithms, filenames and methods for each attack to avoid detection, he pointed out, and make it difficult to track even if one of the attacks has been detected.
How Duqu 2.0 Attacks
The malware relies heavily on zero-days, which “could mean that the attackers were pretty confident that should one vulnerability be patched, they’d implement another,” Baumgartner said.
After the attackers infect one machine, they move laterally into the network and use various strategies to infect other computers, mainly by preparing Microsoft Windows Installer Packages and deploying them remotely to the other targets.
The advent of the Internet of Things is likely to increase Duqu 2.0’s impact.
“With its ability to move laterally through exploited networks, Duqu 2.0 will potentially make navigating through IoT devices and networks very dangerous for all connected devices, as detection will be difficult until after the damage is done,” said Secure Channels CEO Richard Blech.
“The IoT space, as it is currently positioned, is a sitting duck for this malware,” he told TechNewsWorld.
Who Has Been Hit
Kaspersky discovered the malware after one of its staff in a remote office was hit.
There are other victims in the West, the Middle East and Asia, Baumgartner said.
“There is no doubt that this attack has a much wider geographical reach and many more targets,” he continued, “but judging from what we know, Duqu 2.0 has been used to attack a complex range of targets at the highest levels with similarly varied geopolitical interests.”
More Trouble Ahead
One major weakness of antivirus and definition-based security products is that “they all seem to lack the ability to detect lateral movement, as stated by Kaspersky,” said Stealthbits CIO Brett Fernicola.
“It’s imperative that security professionals keep a close watch on authentication traffic and monitor for suspicious lateral behavior,” he told TechNewsWorld. “It’s this lack of security practices that can allow an attacker to go unnoticed, often for years.”
Find the original article here.
For more articles featuring CEO Richard Blech, visit the Secure Channels website.