Digital Warfare - Duqu: Struxnet family of BOTS

Stuxnet, the first military-grade cyberweapon known to the world.  Stuxnet was believed to have been released in late 2009 and millions of computers were infected as the worm though there are other references which claim that it was release as early as 2007. Stuxnet was designed to cripple control systems. The list of modules built as a part of Struxnet provide different kinds of permutations and combinations to reassemble the code with variations. One such example was the birth of Duqu.
Duqu, acts as a Trojan, stealing data, potentially acting in the planning stages of an attack. It can be said that DuQu was used as an intelligence gathering tool, possibly  aiming to prepare the ground for future attacks.  According to Alex Gostev, the main module consists of three components:

• a driver that injects a DLL into system processes;
• a DLL that has an additional module and works with the C&C; and
• a configuration file.

Kaspersky has suggested  a family name called Tilded since they had witnessed most of the files beginning with a tilde symbol. Duqu can sneak into computers by hiding in Word document files opened as email attachments. Duqu infections have been reported in a dozen countries including Iran, France, Britain and India, according to US computer security firm Symantec. On October 18, 2011, Symantec released a Security Response Report describing W32.Duqu, an information-gathering threat targeting specific organizations, including industrial control systems (ICSs). The Duqu communicates to  the command and control server. Attackers sit out of CC server, and download additional executable, including an info stealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information. It is understood that this threat vector moves data in and out in the from of jpg files.  The files was were found to carry different digital signatures at various points in time, like the variant of the driver, which has a C-Media digital signature, file from JMicron, IBM Corporation, Adaptec Inc over defined intervals.. 

Symantec says that this threat vector was configured to run for 30 days by default and then automatically remove itself from the system to avoid detection. ICS Alert has advised the user community to look for the following

• Monitor for network traffic anomalies; such as:
• - Beaconing to unknown IP addresses
• - Spikes in traffic
• - Outgoing binary files such as jpg
• - HTTP and HTTPS traffic from machines that do not have browsers installed

Kaspersky says that "It is most likely that this project was not the only one, but the aims and tasks of the different variants of the Trojan program are as yet unknown". It cannot be ruled out that this platform continues to develop; moreover, the discovery of Duqu by security experts will mean further changes are being or will be made to the platform. We’re likely to see more modifications in the future.


Who Knows? Time is the answer.


---- It is essential to Understand our Digital Systems.