13 November 2011

SURWARE DuQu - a handiwork of Wednesday's Gang

Aleks of Kaspersky Lab Expert has Posted November 11, 12:09  GMT

The Duqu Saga Continues: Enter Mr. B. Jason and TV’s Dexter

Kaspersky Lab in hot chase of DUQU and in close coordination with Sudanese CERT has reveled new facts about this game changing SURVEILLANCE MALWARE (This family of malware , I like to call SURWARE pronounces similar to 'surveyor'). 

Kaspersky lab  found three ~DQ-type files, created on May 25, June 29 and August 24, all three dates were Wednesdays. This could be just a coincidence, maybe not. Still, based on this ‘coincidence’ Kaspersky Lab preferred to name the group behind Duqu as the Wednesday’s Gang :)

The report brings many new facets of this Surware which can be read at http://www.securelist.com/en/blog/208193243/The_Duqu_Saga_Continues_Enter_Mr_B_Jason_and_TVs_Dexter

Some of the key findings of the report are :

- For every victim, a separate set of attack files was created;
- Each unique set of files used a separate control server;
- The attacks were conducted via e-mails with a .DOC file attached;
- The mail-outs took place from anonymous mailboxes, probably via compromised computers;
- At least one e-mail address is known from which the mail-outs were conducted -bjason1xxxx@xxxx.com;
- For each victim, a separate DOC file was put together;
- The vulnerability exploit was contained in the font called “Dexter Regular”;
- The attackers changed the shellcode, and varied the range of dates for possible infection;
- After penetration into a system the attackers installed extra modules and infected neighboring computers;
- The presence on the systems of the files ~DF.tmp and ~DQ.tmp unambiguously points to an infection by Duqu.

Solutions : www.xcyss.in

No comments:

Post a Comment