Duqu is a robust malware delivery platform that covertly steals information from infected Windows computers.
Duqu bears many similarities to Stuxnet, a sophisticated worm which targeted industrial control systems. Both threats launch from a driver for further code injection, and the driver codes share similarities in their anti-debugging and armoring tactics. Other similarities include spoofed version information from electronics corporations. Some drivers have valid digital signatures.
Duqu's operation starts with a malicious driver, Mal/Duqu-A, that reads encrypted configuration data from its service registry key. The driver determines the path and encryption key to decrypt and load a main DLL component, Troj/Duqu-B. The main DLL component contains two more DLLs, a loader and a payload.
The loader provides a platform to inject arbitrary components into a selection of processes:
We've haven't seen many Duqu attacks in the wild. For Sophos customers, we haven't seen any reports of Duqu detections.
Sophos detections include:
Mal/Duqu-A the Duqu driver
Troj/DuquCn-B the encrypted form of the main Duqu DLL component
Troj/Duqu-B the decrypted form of the main Duqu DLL component
Troj/DuquCn-A the encrypted configuration file used by the main Duqu DLL component
Troj/Duqu-C the Duqu loader
Troj/Duqu-D the Duqu payload