Duqu is a highly advanced computer worm—first discovered on September 1, 2011, by CrySyS Lab of the Budapest University of Technology and Economics in Hungary—believed to have been created by the same individuals that created the Stuxnet worm that caused Iranian nuclear turbines to malfunction in 2010. Similarly to Stuxnet, Duqu was highly targeted (having been discovered on less than 50 systems worldwide), used zero-day Windows kernel vulnerabilities to install itself, and used stolen digital keys to sign its components. Unlike Stuxnet, however, Duqu was not designed to disrupt industrial SCADA systems. Instead, it gathered intelligence through keylogging, recording system information, and stealing digital certificates and their corresponding private keys. Many of the Duqu infections occurred at companies involved in manufacturing industrial control systems, so it is possible that Duqu-stolen information could be used as the basis for a future Stuxnet-like attack.
While Duqu had the ability to propagate, it did not do so automatically as some other computer worms have. Its owners only targeted specific machines within specific companies through the use of a spear phishing email with an attached Microsoft Word document. Malware code attached to the document executed itself upon a user opening it, and remained dormant for a matter of minutes on the user’s system before downloading and installing additional Duqu modules that allowed for its intelligence gathering and communication abilities.
One interesting note regarding Duqu’s command and control (C&C) architecture was the use of what could potentially be a zero-day exploit affecting OpenSSH 4.3 to take control of new servers. Research involving salvaged log files from Duqu C&C servers that had been wiped by Duqu’s owners revealed that immediately after hacking each C&C server, the hacker would update OpenSSH from version 4.3 to the latest version at the time (5.8). Some theorize this practice of updating OpenSSH could be to remediate the vulnerability used to hack into the server in the first place in order to prevent someone else from regaining control of a hacked server. The existence of this OpenSSH vulnerability has not been proven, so many researchers believe that Duqu’s owners simply forced the SSH passwords of the servers they hacked. Duqu’s owners also seemed to have an affinity for Linux distribution CentOS 5.x; this could have been a coincidence or they possessed an exploit affecting CentOS 5.x systems.
Furthermore, a large part of Duqu’s C&C communications software module was written in a previously unidentifiable programming language significantly different from that used to write other Duqu modules. Duqu’s “Mystery Language” identification finally arrived after research efforts were crowd-sourced. Researchers, with the help of various individuals, concluded that Duqu’s “Mystery Language” was a special variant of the C programming language called OO C (Object-Oriented C) with custom extensions and was compiled with the Microsoft Visual Studio Compiler. This abnormal use of OO C as opposed to a more mainstream language such as C++ to write parts of Duqu is yet another hint that suggests that the individuals who developed Duqu (and Stuxnet) are highly skilled, well funded, and probably backed by a nation-state.