 |
| Img: materkat.wordpress.com |
Oct 20 = Note: I added another file.
According to Symantec:
According to Symantec:
"Duqu does not contain any code related to industrial control systems
and is primarily a remote access Trojan (RAT). The threat does not
self-replicate. Our telemetry shows the threat was highly targeted
toward a limited number of organizations for their specific assets.
However, it’s possible that other attacks are being conducted against
other organizations in a similar manner with currently undetected
variants.
The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. "General File Information
MD5:- 0a566b1616c8afeef214372b1a0580c7 cmi4432.pnf
- 0eecd17c6c215b358b7b872b74bfd800 jminet7.sys
- 4541e850a228eb69fd0f0e924624b245 cmi4432.sys
- 94c4ef91dfcd0c53a96fdc387f9f9c35 netp192.pnf
- 9749d38ae9b9ddd81b50aad679ee87ec Infostealer
- b4ac366e24204d821376653279cbad86 netp191.PNF
- e8d6b4dadb96ddb58775e6c85b10b6cc cmi4464.PNF
- 3d83b077d32c422d6c7016b5083b9fc2 adpu321.sys
- C9A31EA148232B201FE7CB7DB5C75F5E nfrd965.sys
Malware: Duqu
Research:
- 45 page paper by Symantec W32.Duqu
- Symantec W32.Duqu: The Precursor to the Next Stuxnet
- ICS-ALERT-11-291-01A—W32.DUQU: AN INFORMATION-GATHERING MALWARE TARGETING INDUSTRIAL CONTROL SYSTEMS MANUFACTURERS
- Stuxnet Malware Analysis Paper AmrThabet
'POSSIBLE INDICATORS
--------- Begin Update A Part 1 of 2 --------
Duqu uses HTTP and HTTPS to communicate with a command and control (C&C) server at 206.183.111.97. This server is located in India and has been disabled by the ISP. ICS-CERT strongly recommends that organizations check network and proxy logs for any communication with this IP address. If any communication is identified, please contact ICS-CERT for further guidance.
--------- End Update A Part 1 of 2 ----------
Revoked Verisign certificate
Symantec has provided sample names and hashes for the files identified as part of this threat.
File Name
MD5 Hash
cmi4432.pnf 0a566b1616c8afeef214372b1a0580c7
netp192.pnf 94c4ef91dfcd0c53a96fdc387f9f9c35
cmi4464.PNF e8d6b4dadb96ddb58775e6c85b10b6cc
netp191.PNF b4ac366e24204d821376653279cbad86
cmi4432.sys 4541e850a228eb69fd0f0e924624b245
jminet7.sys 0eecd17c6c215b358b7b872b74bfd800
Infostealer 9749d38ae9b9ddd81b50aad679ee87ec' -ICS ALERT
Analysis notes
The question of the day - from a researcher: Does anyone have a working decoder?
Do you have comments or suggestions regarding the decoder code below? Please email me or post it in the comment section. Thanks very much
def ror(byte, count):
while count > 0:
byte = (byte >> 1 | byte << 7) & 0xFF
count -= 1
return byte
def decode (key, data):
keyxform = key ^ 0x8471122
decoded=''
for x in data:
decoded+= chr(ord(x)^(keyxform & 0xff))
keymorph=ror(keyxform,3)
keyxform = ((((keymorph * keymorph) * 0x1e2d6da3) >> 0xc) + (0x4747293 * keymorph) + 1) ^ keymorph
return decoded
while count > 0:
byte = (byte >> 1 | byte << 7) & 0xFF
count -= 1
return byte
def decode (key, data):
keyxform = key ^ 0x8471122
decoded=''
for x in data:
keymorph=ror(keyxform,3)
keyxform = ((((keymorph * keymorph) * 0x1e2d6da3) >> 0xc) + (0x4747293 * keymorph) + 1) ^ keymorph
return decoded
the ror is needed
Download
Download all samples listed above named by MD5 plus PNF files as a password protected archive (contact me if you need the password) with many thanks to all who donated samples Sebastián Guerrero Selma from MalwareIntelligence, Anthony Aykut from Frame4 Security Services and others.
3d83b077d32c422d6c7016b5083b9fc2 - adpu321.sys additional
Automated Scans
File name: 9749d38ae9b9ddd81b50aad679ee87ecSubmission date: 2011-10-19 12:36:55 (UTC)
Result:31 /43 (72.1%)
http://www.virustotal.com/file-scan/report.html?id=f1ee026692c8458bdd698884183150eb2b898a576bc1d94668bf9e0ec1bb7507-1319027815
AhnLab-V3 2011.10.18.00 2011.10.18 Trojan/Win32.Duqu
AntiVir 7.11.16.64 2011.10.19 TR/Spy.Duqu.A
Avast 6.0.1289.0 2011.10.19 Win32:HideProc-R [Trj]
AVG 10.0.0.1190 2011.10.18 Crypt.AKSF
BitDefender 7.2 2011.10.19 Gen:Trojan.Heur.FU.fuW@aGQd0Wpi
CAT-QuickHeal 11.00 2011.10.19 Trojan.Inject.bjyg
Comodo 10489 2011.10.19 UnclassifiedMalware
DrWeb 5.0.2.03300 2011.10.19 Trojan.PWS.Duqu.1
Emsisoft 5.1.0.11 2011.10.19 Trojan.Win32.Inject!IK
eSafe 7.0.17.0 2011.10.17 Win32.TRCrypt.XPACK
eTrust-Vet 36.1.8627 2011.10.19 -
F-Secure 9.0.16440.0 2011.10.19 Gen:Trojan.Heur.FU.fuW@aGQd0Wpi
Fortinet 4.3.370.0 2011.10.19 W32/Inject.BJYG!tr
GData 22 2011.10.19 Gen:Trojan.Heur.FU.fuW@aGQd0Wpi
Ikarus T3.1.1.107.0 2011.10.19 Trojan.Win32.Inject
K7AntiVirus 9.115.5307 2011.10.18 Trojan
Kaspersky 9.0.0.837 2011.10.19 Trojan.Win32.Inject.bjyg
McAfee 5.400.0.1158 2011.10.19 PWS-Duqu.dr
McAfee-GW-Edition 2010.1D 2011.10.19 Generic Dropper.i
Microsoft 1.7801 2011.10.19 Trojan:Win32/Hideproc.G
NOD32 6556 2011.10.19 Win32/Duqu.A
Norman 6.07.11 2011.10.19 W32/Suspicious_Gen2.QNMIY
nProtect 2011-10-19.02 2011.10.19 Trojan/W32.Duqu.85504
PCTools 8.0.0.5 2011.10.19 Trojan.Gen
Rising 23.80.02.03 2011.10.19 Trojan.Win32.Generic.1294569B
Sophos 4.70.0 2011.10.19 Troj/Bdoor-BDA
SUPERAntiSpyware 4.40.0.1006 2011.10.19 -
Symantec 20111.2.0.82 2011.10.19 Trojan.Gen.2
TrendMicro 9.500.0.1008 2011.10.19 TROJ_SHADOW.AF
TrendMicro-HouseCall 9.500.0.1008 2011.10.19 TROJ_SHADOW.AF
VBA32 3.12.16.4 2011.10.19 Trojan.Inject.bjyg
VIPRE 10808 2011.10.19 Trojan.Win32.Generic!BT
VirusBuster 14.1.19.0 2011.10.19 Trojan.Agent.RD
Additional information
MD5 : 9749d38ae9b9ddd81b50aad679ee87ec
e8d6b4dadb96ddb58775e6c85b10b6cc
Submission date: 2011-10-19 16:27:16 (UTC)
Result: 7/ 43 (16.3%) -
ClamAV 0.97.0.0 2011.10.19 Trojan.Duqu-3
Kaspersky 9.0.0.837 2011.10.19 Trojan.Win32.Duqu.a
Norman 6.07.11 2011.10.19 Suspicious_Gen2.RKQOF
PCTools 8.0.0.5 2011.10.19 Trojan.Generic
Sophos 4.70.0 2011.10.19 Troj/DuquCn-A
Symantec 20111.2.0.82 2011.10.19 Trojan Horse
TrendMicro-HouseCall 9.500.0.1008 2011.10.19 -
ViRobot 2011.10.19.4727 2011.10.19 Trojan.Win32.S.Duqu.6750
MD5 : e8d6b4dadb96ddb58775e6c85b10b6cc
File name:
b4ac366e24204d821376653279cbad86
Submission date: 2011-10-19 15:42:24 (UTC)
Result: 5 /43 (11.6%)
ClamAV 0.97.0.0 2011.10.19 Trojan.Duqu
Kaspersky 9.0.0.837 2011.10.19 Trojan.Win32.Duqu.a
PCTools 8.0.0.5 2011.10.19 Trojan.Generic
Symantec 20111.2.0.82 2011.10.19 Trojan Horse
ViRobot 2011.10.19.4727 2011.10.19 Trojan.Win32.S.Duqu.232448
MD5 : b4ac366e24204d821376653279cbad86
4541E850A228EB69FD0F0E924624B245
Result: 25 /42 (59.5%)
AhnLab-V3 2011.10.19.00 2011.10.19 Trojan/Win32.Duqu
AntiVir 7.11.16.66 2011.10.19 TR/Duqu.A.3
Avast 6.0.1289.0 2011.10.19 Win32:Malware-gen
BitDefender 7.2 2011.10.19 Rootkit.Duqu.A
ClamAV 0.97.0.0 2011.10.19 Trojan.Duqu.Infostealer
Comodo 10495 2011.10.19 UnclassifiedMalware
DrWeb 5.0.2.03300 2011.10.19 Trojan.Duqu.1
Emsisoft 5.1.0.11 2011.10.19 Trojan.WinNT.Duqu!IK
F-Secure 9.0.16440.0 2011.10.19 Backdoor:W32/Duqu.B
Fortinet 4.3.370.0 2011.10.19 W32/Duqu.ROOTKIT!tr.pws
GData 22 2011.10.19 Rootkit.Duqu.A
Ikarus T3.1.1.107.0 2011.10.19 Trojan.WinNT.Duqu
Kaspersky 9.0.0.837 2011.10.19 Trojan.Win32.Duqu.a
McAfee 5.400.0.1158 2011.10.19 PWS-Duqu!rootkit
McAfee-GW-Edition 2010.1D 2011.10.19 PWS-Duqu!rootkit
Microsoft 1.7801 2011.10.19 Trojan:WinNT/Duqu.A
NOD32 6557 2011.10.19 Win32/Duqu.A
nProtect 2011-10-19.02 2011.10.19 Trojan/W32.Duqu.29568
Panda 10.0.3.5 2011.10.19 Trj/Duqu.A
PCTools 8.0.0.5 2011.10.19 Malware.Duqu
Sophos 4.70.0 2011.10.19 W32/Duqu-A
Symantec 20111.2.0.82 2011.10.19 W32.Duqu
VIPRE 10809 2011.10.19 Trojan.Win32.Generic!BT
ViRobot 2011.10.19.4727 2011.10.19 Trojan.Win32.S.Duqu.29568
VirusBuster 14.1.20.0 2011.10.19 Trojan.Duqu!5GX0xuP5QyA
MD5 : 4541e850a228eb69fd0f0e924624b245
94C4EF91DFCD0C53A96FDC387F9F9C35
File name:
94c4ef91dfcd0c53a96fdc387f9f9c35
Submission date: 2011-10-19 15:41:26 (UTC)
Result:7 /43 (16.3%)
ClamAV 0.97.0.0 2011.10.19 Trojan.Duqu-1
Kaspersky 9.0.0.837 2011.10.19 Trojan.Win32.Duqu.a
Norman 6.07.11 2011.10.19 Suspicious_Gen2.RKQNO
PCTools 8.0.0.5 2011.10.19 Trojan.Generic
Sophos 4.70.0 2011.10.19 Troj/DuquCn-A
Symantec 20111.2.0.82 2011.10.19 Trojan Horse
TrendMicro-HouseCall 9.500.0.1008 2011.10.19 -
ViRobot 2011.10.19.4727 2011.10.19 Trojan.Win32.S.Duqu.6750.A
MD5 : 94c4ef91dfcd0c53a96fdc387f9f9c35
0EECD17C6C215B358B7B872B74BFD800
D17C6A9ED7299A8A55CD962BDB8A5A974D0CB660.ViR
Submission date: 2011-10-19 15:35:08 (UTC)
Current status: finished
Result: 22 /42 (52.4%)
AhnLab-V3 2011.10.19.00 2011.10.19 Trojan/Win32.Duqu
AntiVir 7.11.16.66 2011.10.19 TR/Duqu.A.1
BitDefender 7.2 2011.10.19 Trojan.Generic.6742310
ClamAV 0.97.0.0 2011.10.19 Trojan.Duqu.Infostealer
Comodo 10495 2011.10.19 UnclassifiedMalware
DrWeb 5.0.2.03300 2011.10.19 Trojan.Duqu.1
Emsisoft 5.1.0.11 2011.10.19 Trojan.Win32.Duqu!IK
F-Secure 9.0.16440.0 2011.10.19 Backdoor:W32/Duqu.B
GData 22 2011.10.19 Trojan.Generic.6742310
Ikarus T3.1.1.107.0 2011.10.19 Trojan.Win32.Duqu
Kaspersky 9.0.0.837 2011.10.19 Trojan.Win32.Duqu.a
McAfee 5.400.0.1158 2011.10.19 PWS-Duqu!rootkit
McAfee-GW-Edition 2010.1D 2011.10.19 PWS-Duqu!rootkit
Microsoft 1.7801 2011.10.19 Trojan:WinNT/Duqu.A
NOD32 6557 2011.10.19 Win32/Duqu.A
Norman 6.07.11 2011.10.19 W32/Rootkit.CJEV
nProtect 2011-10-19.02 2011.10.19 Trojan/W32.Duqu.24960
Panda 10.0.3.5 2011.10.19 Trj/Duqu.A
PCTools 8.0.0.5 2011.10.19 Malware.Duqu
Sophos 4.70.0 2011.10.19 W32/Duqu-A
ViRobot 2011.10.19.4727 2011.10.19 Trojan.Win32.S.Duqu.24960
VirusBuster 14.1.20.0 2011.10.19 Trojan.Duqu!5GX0xuP5QyA
MD5 : 0eecd17c6c215b358b7b872b74bfd800
0A566B1616C8AFEEF214372B1A0580C7
0a566b1616c8afeef214372b1a0580c7
Submission date: 2011-10-19 15:39:50 (UTC)
Result:5 /42 (11.9%)
ClamAV 0.97.0.0 2011.10.19 Trojan.Duqu-2
Kaspersky 9.0.0.837 2011.10.19 Trojan.Win32.Duqu.a
PCTools 8.0.0.5 2011.10.19 Trojan.Generic
Symantec 20111.2.0.82 2011.10.19 Trojan Horse
ViRobot 2011.10.19.4727 2011.10.19 Trojan.Win32.S.Duqu.192512
MD5 : 0a566b1616c8afeef214372b1a0580c7
File name:
C9A31EA148232B201FE7CB7DB5C75F5E
Current status: finished
Result: 3 /42 (7.1%)
NOD32 6556 2011.10.19 a variant of Win32/Duqu.A
PCTools 8.0.0.5 2011.10.19 Malware.Duqu
Symantec 20111.2.0.82 2011.10.19 W32.Duqu
TrendMicro-HouseCall 9.500.0.1008 2011.10.19 -
MD5 : c9a31ea148232b201fe7cb7db5c75f5e
Check out the latest info from ESET which includes some information on the decryption algorithm and a script you can use. It also contains a decrypted config file for analysis.
ReplyDeletehttp://blog.eset.com/2011/10/25/win32duqu-it%E2%80%99s-a-date
http://scadahacker.com/resources/duqu
please send me the password to sanken_new@yahoo.com
ReplyDeleteDo we have any idea what the dropper doc files look like yet?
ReplyDeleteTrey Smith Blog
ReplyDeleteHi Mila Excellently written article, if only all bloggers offered the same content as you, the internet would be a much better place. Please keep it up!
I like it very much because it has very helpful articles of various topics like different culture and the latest news. I am a googler and search on many topics. By searching i found this nice website. Thanks for sharing.
With the dropper finally discovered, if anyone finds a copy, please post to Mila and share on this forum.
ReplyDeleteHappy Hunting!
please send me the password to Alexandr Komarov ;
ReplyDeleteAlexandr Komarov ubbabru@yahoo.com
ReplyDeleteplease send me a password for unzipping the files.
ReplyDeletemy email is - sagarbhmr@gmail.com
Since this bug has been long patched by now, is the dropper doc available?
ReplyDelete@Anonymous.
DeleteNot available. If you have it, please share. Thanks