Stuxnet v2 or TR/Duqu

The Stuxnet virus has gone to the next generation: “TR/Duqu”.

Avira already detects the new malware since VDF 7.11.16.63, which was released on 2011-10-19.

The new variant of Stuxnet consists of 3 main files:

  • a driver file (at this time we can discern between 4 slightly different versions)
  • an encrypted DLL
  • an encrypted configuration file

This new version is very similar to the old one: one of these driver files is almost binary identical to the driver file of the original Stuxnet malware and the whole infection process of the new malware is pretty similar to the old one.

The driver, which is loaded at the system start, registers a callback in the “PsSetLoadImageNotifier” routine to observe if kernel32.dll is being loaded. In this case, it resolves the needed imports from kernel32.dll. Then, it injects the decrypted main DLL into the process services.exe and executes the export function of the main DLL file. This provides an RPC functionality which allows remote access over the infected machine. The main DLL also contains another DLL, which is responsible for downloading other malware payload. This download process can then be triggered by an RPC call.

Visit the following links if you can find additional details about the malware variants TR/Spy.Duqu.A and  TR/Duqu.A.1.

 

Alex Vukcevic
Manager Virus Lab

Sorin Mustaca
Data Security Expert