What is Duqu?
Duqu is a computer worm discovered on 1 September, 2011, thought to be related to the Stuxnet worm. The Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics in Hungary, discovered the threat, analyzed the malware, and wrote a 60-page report naming the threat Duqu. Duqu got its name from the prefix “~DQ” it gives to the names of files it creates.
The Duqu term
The Duqu term identifies several different meanings:
Duqu malware is a variety of software components that together provide services to the attackers. Currently this includes information stealing capabilities and in the background, kernel drivers and injection tools.
Duqu flaw is the flaw in Microsoft Windows that is used in malicious files to execute malware components of Duqu. Currently one flaw is known, a TTF related problem in win32k.sys.
Operation Duqu is the process of only using Duqu for unknown goals. The operation might be related to Operation Stuxnet.
Relationship to Stuxnet
Symantec, based on the CrySyS report, continued the analysis of the threat, which it called “nearly identical to Stuxnet, but with a completely different purpose”, and published a detailed technical paper on it with a cut-down version of the original lab report as an appendix. Symantec believes that Duqu was created by the same authors as Stuxnet, or that the authors had access to the source code of Stuxnet. The worm, like Stuxnet, has a forged digital certificate, and collects information to prepare for future attacks. Mikko Hyppönen, Chief Research Officer for F-Secure, said that Duqu’s kernel driver, JMINET7.SYS, was so similar to Stuxnet’s MRXCLS.SYS that F-Secure’s back-end system thought it was Stuxnet. Hyppönen further said that Duqu’s own digital certificate was stolen from C-Media, located in Taipei, Taiwan. The certificates were due to expire on 2 August 2012 but were revoked on 14 October 2011 according to Symantec.
Another source, Dell SecureWorks, reports that Duqu may not be related to Stuxnet.
Experts compared the similarities and found three most intriguing factors. 1. The installer exploits zero-day Windows kernel vulnerability(ies). 2. Components are signed with stolen certificates. 3. DUQU is Highly targeted in a way that suggests advanced intelligence.
Source : Wikipedia