Cyberspace has a new apex predator.
Duqu 2.0, the elusive malware that experts suggest might be linked to the Israeli government, was discovered last week lurking in the systems of thousands of organizations across Western, Middle Eastern, and Asian countries, according to antivirus company Kaspersky Labs.
The lab predicts that their findings so far are only the beginning.
“These are only preliminary results of its investigation,” said Kurt Baumgartner, principal security researcher at Kaspersky. “There is no doubt that this attack had a much wider geographical reach and many more targets. But judging from what we already know, Duqu 2.0 has been used to attack a complex range of targets at the highest levels.”
Victims include high-profile and seemingly innocuous targets. Notably, the virus was discovered infecting the systems of European hotels that hosted the P5+1 talks, which were held to negotiate the terms of Iran’s nuclear program. It was also found on computers linked to the 70th anniversary celebration of the liberation of Auschwitz concentration camp at the end of World War II.
Duqu 2.0 was first identified in early spring, when a prototype program at Kaspersky detected evidence of a sophisticated malware in the bowels of the anti-malware lab’s own network.
An internal investigation was launched, and Kaspersky’s task force of analysts, reverse engineers and researchers confirmed that an “exceptional” attack had indeed been made on its systems and had gone undetected for an indeterminate amount of time.
Researchers concluded that the virus was the product of an advanced hacking group thought to have gone dark in 2012. Kaspersky had deemed the group “Duqu,” after the “~DQ” files its malware creates.
The new program, a type of advanced malware known as an advanced persistent threat, or APT, was deemed Duqu 2.0, and further study proved it to be among the most potent offensive software ever created.
“The philosophy and way of thinking of the Duqu 2.0 group is a generation ahead of anything seen in the APT world,” Baumgartner said. “The group behind Duqu is very skilled, powerful and did everything possible to try to stay under the radar.”
According to Kaspersky, the sophistication of Duqu 2.0 surpasses even the programs of the Equation Group, a shadowy hacking organization suspected to be an NSA affiliate and widely recognized as the “crème de la crème” of APT production.
Duqu 2.0 exists only in a system’s memory, which prevents detection by anti-malware scans. It also has no need to directly connect with a command-and-control center, instead acting autonomously to infect network gateways and firewalls. This allows it to proxy internal network traffic directly to hackers’ command centers.
These factors, combined with its array of complex encryption algorithms, make hunting Duqu 2.0 a daunting task.
The composition of such a complex program is no easy feat, and Kaspersky’s investigation has turned into a cyber detective story in its own right.
By collecting logs from the proxies used to channel their data, technicians were able to determine that attackers worked significantly less on Fridays and not at all on Saturdays. Their regular workweek appears to start on Sunday. Additionally, the hackers compiled binaries on Jan. 1, indicating that it was not a holiday for them.
Timestamps in the binary logs suggest that the hackers operate in a GMT+2 or GMT+3 time zone, areas that include parts of Africa and the Middle East. Baumgartner noted that the binary logs contained mostly perfect English, but a few telltale mistakes, which may mean the Duqu group is comprised of nonnative speakers. Among these he cited an example of “Excceeded” as opposed to “Exceeded.”
As the hunt to identify the hackers continues, Kaspersky has recommended simple measures to ameliorate the threat of Duqu:
- Update Windows to the latest version using Microsoft Windows Update. Make sure to install Microsoft’s Patch Tuesday update from June 9.
- Reboot all computers at once – for instance simulating a power failure. It is very important to reboot everything at the same time; otherwise the malware might survive on a machine and re-infect the others.
- Change all passwords.
- Perform regular updates and rebooting of all machines in the network, including domain controllers. Rebooting removes the active malware from memory.
- Make sure all servers run x64 (64-bit) Windows. This forces the attackers to use signed drivers for persistence mechanisms.
- Change passwords regularly (every 1-2 months) and use strong passphrases that are longer than 20 characters. Disable old-style LM hashes.
As far as identifying the perpetrators beyond a reasonable doubt, Baumgartner remains cautiously optimistic. “Attribution of cyber attacks over the Internet is a difficult thing,” he said.
“But the attackers always leave some traces.”