DUQU
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
DUQU is made up of several components. These components interact with each other in order to achieve its main prupose: to steal information and deliver stolen information to a C&C server. The components consist of some rootkits and information stealers.
DUQU is believed to be created by the same cybercriminals behind STUXNET because of the codes used. However, DUQU does not target SCADA systems unlike STUXNET.
TECHNICAL DETAILS
Autostart Technique
This Trojan registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\JmiNET3
ImagePath = "\??\%System% \Drivers\jminet7.sys"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\cmi4432
ImagePath = "\??\%System%\Drivers\cmi4432.sys"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{malware name}
ImagePath = "\??\{malware path}\{malware name}.sys"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{malware name}\Security
Security = "{hex value}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{malware name}\Enum
0 = "Root\LEGACY_1\0000"
NOTES:
It arrives as a dropped file of another malware. It uses any of the following file names:
- %System%\Drivers\cmi4432.sys
- %System%\Drivers\jminet7.sys
It also arrives with the following files:
- %Windows%\inf\cmi4432.pnf
- %Windows%\inf\cmi4464.pnf
- %Windows%\inf\netp191.pnf
- %Windows%\inf\netp192.pnf