Wednesday, October 19, 2011

Duqu - RAT Trojan, "Precursor to the Next Stuxnet" - samples


Img: materkat.wordpress.com
Oct 20 = Note: I added another file. 

According to Symantec:
"Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate. Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.
The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. "

  General File Information

MD5:
  1. 0a566b1616c8afeef214372b1a0580c7    cmi4432.pnf
  2. 0eecd17c6c215b358b7b872b74bfd800    jminet7.sys
  3. 4541e850a228eb69fd0f0e924624b245    cmi4432.sys
  4. 94c4ef91dfcd0c53a96fdc387f9f9c35        netp192.pnf
  5. 9749d38ae9b9ddd81b50aad679ee87ec   Infostealer 
  6. b4ac366e24204d821376653279cbad86    netp191.PNF
  7. e8d6b4dadb96ddb58775e6c85b10b6cc    cmi4464.PNF
  8. 3d83b077d32c422d6c7016b5083b9fc2     adpu321.sys
  9. C9A31EA148232B201FE7CB7DB5C75F5E   nfrd965.sys 
 

Malware: Duqu
Research:  
  1.  45 page paper by Symantec W32.Duqu
  2. Symantec W32.Duqu: The Precursor to the Next Stuxnet
  3. ICS-ALERT-11-291-01A—W32.DUQU: AN INFORMATION-GATHERING MALWARE TARGETING INDUSTRIAL CONTROL SYSTEMS MANUFACTURERS 
  4.  Stuxnet Malware Analysis Paper AmrThabet
 'POSSIBLE INDICATORS
--------- Begin Update A Part 1 of 2 --------
Duqu uses HTTP and HTTPS to communicate with a command and control (C&C) server at 206.183.111.97. This server is located in India and has been disabled by the ISP. ICS-CERT strongly recommends that organizations check network and proxy logs for any communication with this IP address. If any communication is identified, please contact ICS-CERT for further guidance.
Revoked Verisign certificate
--------- End Update A Part 1 of 2 ----------
Symantec has provided sample names and hashes for the files identified as part of this threat.
File Name
MD5 Hash
cmi4432.pnf    0a566b1616c8afeef214372b1a0580c7
netp192.pnf     94c4ef91dfcd0c53a96fdc387f9f9c35
cmi4464.PNF  e8d6b4dadb96ddb58775e6c85b10b6cc
netp191.PNF   b4ac366e24204d821376653279cbad86
cmi4432.sys    4541e850a228eb69fd0f0e924624b245
jminet7.sys       0eecd17c6c215b358b7b872b74bfd800
Infostealer        9749d38ae9b9ddd81b50aad679ee87ec'    -ICS ALERT


Analysis notes


The question of the day - from a researcher:  Does anyone have a working decoder? 

Do you have comments or suggestions regarding the decoder code below?  Please email me or post it in the comment section. Thanks very much


def ror(byte, count):
while count > 0:
byte = (byte >> 1 | byte << 7) & 0xFF
count -= 1
return byte



def decode (key, data):
keyxform = key ^ 0x8471122
decoded=''
for x in data:
decoded+= chr(ord(x)^(keyxform & 0xff))


keymorph=ror(keyxform,3)
keyxform = ((((keymorph * keymorph) * 0x1e2d6da3) >> 0xc) + (0x4747293 * keymorph) + 1) ^ keymorph
return decoded
  the ror is needed  




Download



Download all samples listed above named by MD5 plus PNF files as a password protected archive (contact me if you need the password) 
 with many thanks to all who donated samples  Sebastián Guerrero Selma from MalwareIntelligence, Anthony Aykut from   Frame4 Security Services  and others.

3d83b077d32c422d6c7016b5083b9fc2  - adpu321.sys additional 




Automated Scans

File name:  9749d38ae9b9ddd81b50aad679ee87ec
Submission date: 2011-10-19 12:36:55 (UTC)
Result:31 /43 (72.1%)   
http://www.virustotal.com/file-scan/report.html?id=f1ee026692c8458bdd698884183150eb2b898a576bc1d94668bf9e0ec1bb7507-1319027815
AhnLab-V3     2011.10.18.00     2011.10.18     Trojan/Win32.Duqu
AntiVir     7.11.16.64     2011.10.19     TR/Spy.Duqu.A
Avast     6.0.1289.0     2011.10.19     Win32:HideProc-R [Trj]
AVG     10.0.0.1190     2011.10.18     Crypt.AKSF
BitDefender     7.2     2011.10.19     Gen:Trojan.Heur.FU.fuW@aGQd0Wpi
CAT-QuickHeal     11.00     2011.10.19     Trojan.Inject.bjyg
Comodo     10489     2011.10.19     UnclassifiedMalware
DrWeb     5.0.2.03300     2011.10.19     Trojan.PWS.Duqu.1
Emsisoft     5.1.0.11     2011.10.19     Trojan.Win32.Inject!IK
eSafe     7.0.17.0     2011.10.17     Win32.TRCrypt.XPACK
eTrust-Vet     36.1.8627     2011.10.19     -
F-Secure     9.0.16440.0     2011.10.19     Gen:Trojan.Heur.FU.fuW@aGQd0Wpi
Fortinet     4.3.370.0     2011.10.19     W32/Inject.BJYG!tr
GData     22     2011.10.19     Gen:Trojan.Heur.FU.fuW@aGQd0Wpi
Ikarus     T3.1.1.107.0     2011.10.19     Trojan.Win32.Inject
K7AntiVirus     9.115.5307     2011.10.18     Trojan
Kaspersky     9.0.0.837     2011.10.19     Trojan.Win32.Inject.bjyg
McAfee     5.400.0.1158     2011.10.19     PWS-Duqu.dr
McAfee-GW-Edition     2010.1D     2011.10.19     Generic Dropper.i
Microsoft     1.7801     2011.10.19     Trojan:Win32/Hideproc.G
NOD32     6556     2011.10.19     Win32/Duqu.A
Norman     6.07.11     2011.10.19     W32/Suspicious_Gen2.QNMIY
nProtect     2011-10-19.02     2011.10.19     Trojan/W32.Duqu.85504
PCTools     8.0.0.5     2011.10.19     Trojan.Gen
Rising     23.80.02.03     2011.10.19     Trojan.Win32.Generic.1294569B
Sophos     4.70.0     2011.10.19     Troj/Bdoor-BDA
SUPERAntiSpyware     4.40.0.1006     2011.10.19     -
Symantec     20111.2.0.82     2011.10.19     Trojan.Gen.2
TrendMicro     9.500.0.1008     2011.10.19     TROJ_SHADOW.AF
TrendMicro-HouseCall     9.500.0.1008     2011.10.19     TROJ_SHADOW.AF
VBA32     3.12.16.4     2011.10.19     Trojan.Inject.bjyg
VIPRE     10808     2011.10.19     Trojan.Win32.Generic!BT
VirusBuster     14.1.19.0     2011.10.19     Trojan.Agent.RD
Additional information
MD5   : 9749d38ae9b9ddd81b50aad679ee87ec


e8d6b4dadb96ddb58775e6c85b10b6cc
Submission date: 2011-10-19 16:27:16 (UTC)
Result: 7/ 43 (16.3%)    -
ClamAV    0.97.0.0    2011.10.19    Trojan.Duqu-3
Kaspersky    9.0.0.837    2011.10.19    Trojan.Win32.Duqu.a
Norman    6.07.11    2011.10.19    Suspicious_Gen2.RKQOF
PCTools    8.0.0.5    2011.10.19    Trojan.Generic
Sophos    4.70.0    2011.10.19    Troj/DuquCn-A
Symantec    20111.2.0.82    2011.10.19    Trojan Horse
TrendMicro-HouseCall    9.500.0.1008    2011.10.19    -
ViRobot    2011.10.19.4727    2011.10.19    Trojan.Win32.S.Duqu.6750
MD5   : e8d6b4dadb96ddb58775e6c85b10b6cc

File name:
b4ac366e24204d821376653279cbad86
Submission date: 2011-10-19 15:42:24 (UTC)
Result: 5 /43 (11.6%)
ClamAV     0.97.0.0     2011.10.19     Trojan.Duqu
Kaspersky     9.0.0.837     2011.10.19     Trojan.Win32.Duqu.a
PCTools     8.0.0.5     2011.10.19     Trojan.Generic
Symantec     20111.2.0.82     2011.10.19     Trojan Horse
ViRobot     2011.10.19.4727     2011.10.19     Trojan.Win32.S.Duqu.232448
MD5   : b4ac366e24204d821376653279cbad86

4541E850A228EB69FD0F0E924624B245 
Result: 25 /42 (59.5%)
AhnLab-V3     2011.10.19.00     2011.10.19     Trojan/Win32.Duqu
AntiVir     7.11.16.66     2011.10.19     TR/Duqu.A.3
Avast     6.0.1289.0     2011.10.19     Win32:Malware-gen
BitDefender     7.2     2011.10.19     Rootkit.Duqu.A
ClamAV     0.97.0.0     2011.10.19     Trojan.Duqu.Infostealer
Comodo     10495     2011.10.19     UnclassifiedMalware
DrWeb     5.0.2.03300     2011.10.19     Trojan.Duqu.1
Emsisoft     5.1.0.11     2011.10.19     Trojan.WinNT.Duqu!IK
F-Secure     9.0.16440.0     2011.10.19     Backdoor:W32/Duqu.B
Fortinet     4.3.370.0     2011.10.19     W32/Duqu.ROOTKIT!tr.pws
GData     22     2011.10.19     Rootkit.Duqu.A
Ikarus     T3.1.1.107.0     2011.10.19     Trojan.WinNT.Duqu
Kaspersky     9.0.0.837     2011.10.19     Trojan.Win32.Duqu.a
McAfee     5.400.0.1158     2011.10.19     PWS-Duqu!rootkit
McAfee-GW-Edition     2010.1D     2011.10.19     PWS-Duqu!rootkit
Microsoft     1.7801     2011.10.19     Trojan:WinNT/Duqu.A
NOD32     6557     2011.10.19     Win32/Duqu.A
nProtect     2011-10-19.02     2011.10.19     Trojan/W32.Duqu.29568
Panda     10.0.3.5     2011.10.19     Trj/Duqu.A
PCTools     8.0.0.5     2011.10.19     Malware.Duqu
Sophos     4.70.0     2011.10.19     W32/Duqu-A
Symantec     20111.2.0.82     2011.10.19     W32.Duqu
VIPRE     10809     2011.10.19     Trojan.Win32.Generic!BT
ViRobot     2011.10.19.4727     2011.10.19     Trojan.Win32.S.Duqu.29568
VirusBuster     14.1.20.0     2011.10.19     Trojan.Duqu!5GX0xuP5QyA
MD5   : 4541e850a228eb69fd0f0e924624b245


94C4EF91DFCD0C53A96FDC387F9F9C35
File name:
94c4ef91dfcd0c53a96fdc387f9f9c35
Submission date: 2011-10-19 15:41:26 (UTC)
Result:7 /43 (16.3%)
ClamAV     0.97.0.0     2011.10.19     Trojan.Duqu-1
Kaspersky     9.0.0.837     2011.10.19     Trojan.Win32.Duqu.a
Norman     6.07.11     2011.10.19     Suspicious_Gen2.RKQNO
PCTools     8.0.0.5     2011.10.19     Trojan.Generic
Sophos     4.70.0     2011.10.19     Troj/DuquCn-A
Symantec     20111.2.0.82     2011.10.19     Trojan Horse
TrendMicro-HouseCall     9.500.0.1008     2011.10.19     -
ViRobot     2011.10.19.4727     2011.10.19     Trojan.Win32.S.Duqu.6750.A
MD5   : 94c4ef91dfcd0c53a96fdc387f9f9c35


0EECD17C6C215B358B7B872B74BFD800
D17C6A9ED7299A8A55CD962BDB8A5A974D0CB660.ViR
Submission date:  2011-10-19 15:35:08 (UTC)
Current status: finished
Result: 22 /42 (52.4%)
AhnLab-V3     2011.10.19.00     2011.10.19     Trojan/Win32.Duqu
AntiVir     7.11.16.66     2011.10.19     TR/Duqu.A.1
BitDefender     7.2     2011.10.19     Trojan.Generic.6742310
ClamAV     0.97.0.0     2011.10.19     Trojan.Duqu.Infostealer
Comodo     10495     2011.10.19     UnclassifiedMalware
DrWeb     5.0.2.03300     2011.10.19     Trojan.Duqu.1
Emsisoft     5.1.0.11     2011.10.19     Trojan.Win32.Duqu!IK
F-Secure     9.0.16440.0     2011.10.19     Backdoor:W32/Duqu.B
GData     22     2011.10.19     Trojan.Generic.6742310
Ikarus     T3.1.1.107.0     2011.10.19     Trojan.Win32.Duqu
Kaspersky     9.0.0.837     2011.10.19     Trojan.Win32.Duqu.a
McAfee     5.400.0.1158     2011.10.19     PWS-Duqu!rootkit
McAfee-GW-Edition     2010.1D     2011.10.19     PWS-Duqu!rootkit
Microsoft     1.7801     2011.10.19     Trojan:WinNT/Duqu.A
NOD32     6557     2011.10.19     Win32/Duqu.A
Norman     6.07.11     2011.10.19     W32/Rootkit.CJEV
nProtect     2011-10-19.02     2011.10.19     Trojan/W32.Duqu.24960
Panda     10.0.3.5     2011.10.19     Trj/Duqu.A
PCTools     8.0.0.5     2011.10.19     Malware.Duqu
Sophos     4.70.0     2011.10.19     W32/Duqu-A
ViRobot     2011.10.19.4727     2011.10.19     Trojan.Win32.S.Duqu.24960
VirusBuster     14.1.20.0     2011.10.19     Trojan.Duqu!5GX0xuP5QyA
MD5   : 0eecd17c6c215b358b7b872b74bfd800

0A566B1616C8AFEEF214372B1A0580C7
0a566b1616c8afeef214372b1a0580c7
Submission date: 2011-10-19 15:39:50 (UTC)
Result:5 /42 (11.9%)
ClamAV     0.97.0.0     2011.10.19     Trojan.Duqu-2
Kaspersky     9.0.0.837     2011.10.19     Trojan.Win32.Duqu.a
PCTools     8.0.0.5     2011.10.19     Trojan.Generic
Symantec     20111.2.0.82     2011.10.19     Trojan Horse
ViRobot     2011.10.19.4727     2011.10.19     Trojan.Win32.S.Duqu.192512
MD5   : 0a566b1616c8afeef214372b1a0580c7

File name:
C9A31EA148232B201FE7CB7DB5C75F5E
Current status: finished
Result: 3 /42 (7.1%)
NOD32     6556     2011.10.19     a variant of Win32/Duqu.A
PCTools     8.0.0.5     2011.10.19     Malware.Duqu
Symantec     20111.2.0.82     2011.10.19     W32.Duqu
TrendMicro-HouseCall     9.500.0.1008     2011.10.19     -
MD5   : c9a31ea148232b201fe7cb7db5c75f5e

10 comments:

  1. Check out the latest info from ESET which includes some information on the decryption algorithm and a script you can use. It also contains a decrypted config file for analysis.

    http://blog.eset.com/2011/10/25/win32duqu-it%E2%80%99s-a-date
    http://scadahacker.com/resources/duqu

    ReplyDelete
  2. please send me the password to sanken_new@yahoo.com

    ReplyDelete
  3. Do we have any idea what the dropper doc files look like yet?

    ReplyDelete
  4. Trey Smith Blog

    Hi Mila Excellently written article, if only all bloggers offered the same content as you, the internet would be a much better place. Please keep it up!
    I like it very much because it has very helpful articles of various topics like different culture and the latest news. I am a googler and search on many topics. By searching i found this nice website. Thanks for sharing.

    ReplyDelete
  5. With the dropper finally discovered, if anyone finds a copy, please post to Mila and share on this forum.

    Happy Hunting!

    ReplyDelete
  6. please send me the password to Alexandr Komarov ;

    ReplyDelete
  7. Alexandr Komarov ubbabru@yahoo.com

    ReplyDelete
  8. please send me a password for unzipping the files.
    my email is - sagarbhmr@gmail.com

    ReplyDelete
  9. Since this bug has been long patched by now, is the dropper doc available?

    ReplyDelete
    Replies
    1. @Anonymous.
      Not available. If you have it, please share. Thanks

      Delete