Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors, or those that have access to the Stuxnet source code, and appears to have been created after the last
Stuxnet file we recovered. Duqu’s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others, in order to more easily conduct a future
attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on various industries, including industrial control system facilities. Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not selfreplicate. Our telemetry shows the threat has been highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants
Duqu uses HTTP and HTTPS to communicate to a command and control (C&C) server at 126.96.36.199, which is hosted in India. As of October 18th this IP is inactive. To date this is the only C&C IP encountered and is a reliable indicator of Duqu activity on a network. Through the command and control server, the attackers were able to download additional executables, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information. The information is logged to a lightly encrypted and compressed local file, and then must be exfiltrated out. In addition to this infostealer, three more DLLs were pushed out by the C&C on October 18th.
Click here for full report
Solutions : www.xcyss.in