Thursday, March 29, 2012

Duqu malware resurfaces after five-month holiday

Duqu, the malware that has been compared to 2010's notorious Stuxnet, is back, security researchers said today.
After a several-month sabbatical, the Duqu makers recompiled one of the Trojan's components in late February, said Liam O Murchu, manager of operations at Symantec's security response team.
The system driver, which is installed by the malware's dropper agent, is responsible for decrypting the rest of the already-downloaded package, then loading those pieces into the PC's memory.
Symantec has captured a single sample of the driver, which was compiled Feb. 23, 2012. Before that, the last time the Duqu gang updated the driver was Oct. 17, 2011.
Duqu has been characterized by Symantec -- the first to extensively analyze the Trojan last year -- and others as a possible precursor to the next Stuxnet, the ultra-sophisticated wormthat sabotaged Iran's nuclear fuel enrichment program by crippling critical gas centrifuges.
O Murchu said that the functionality of the new driver was "more or less the same" as earlier versions, including the one spotted last October and another from late 2010 that later surfaced. "The functionality hasn't changed," said O Murchu.
While O Murchu was hesitant to speculate on why the hackers had returned to action or why they took a five-month break, security researchers at Moscow-based Kaspersky Lab were not as reluctant.

No comments:

Post a Comment