Duqu meets Dexter

Kaspersky’s Alexander Gostev has some interesting findings on Duqu, including a connection with Showtime TV’s serial killer, Dexter Morgan.

Gostev wrote a pretty extensive analysis of Duqu on Friday. Duqu’s makers have apparently been working on this malware since 2007 and have affection for fictional TV serial killer Dexter.

Gostev writes:

The shellcode of the exploit was contained in an embedded font processed by the win32k.sys system. The font was called Dexter Regular, and its creators were shown as Showtime Inc.

This is another prank pulled by the Duqu authors, since Showtime Inc. is the cable broadcasting company behind the TV series Dexter, about a CSI doctor who happens also to be a serial killer who avenges criminals in some post-modern perversion of Charles Bronson’s character in Death Wish.

The driver loaded by the exploit into the kernel of the system had a compilation date of August 31, 2007. The analogous driver found in the dropper from CrySyS was dated February 21, 2008. If this information is correct, then the authors of Duqu must have been working on this project for over four years!

As part of the investigation of the given incident we’ve established the entry points for penetration of the systems, dates of events, and several facts regarding the conduct of the attackers. This information allows one to date one of the waves of attack to mid-to-late April 2011. Key findings include:

– For every victim, a separate set of attack files was created;

– Each unique set of files used a separate control server;

– The attacks were conducted via e-mails with a .DOC file attached;

– The mail-outs took place from anonymous mailboxes, probably via compromised computers;

– At least one e-mail address is known from which the mail-outs were conducted -bjason1xxxx@xxxx.com;

– For each victim, a separate DOC file was put together;

– The vulnerability exploit was contained in the font called “Dexter Regular”;

– The attackers changed the shellcode, and varied the range of dates for possible infection;

– After penetration into a system the attackers installed extra modules and infected neighboring computers;

– The presence on the systems of the files ~DF.tmp and ~DQ.tmp unambiguously points to an infection by Duqu.

Due to privacy reasons and protection of the identity of the victim, we cannot share the source .DOC file with other parties.

Also, we are not at present disclosing the address of the control server for this variant of Duqu; however, we think that it is not functioning now and all critical information on it has already been deleted by the attackers. This is also the case for one more control server we have discovered. Information about the control servers will be published later.

We can say that there are at least 12 unique sets of Duqu files known to us at present. The variant discussed in this post has been named variant F. Detailed information on the other variants will be published later.

The post includes a lot of images and screen captures. Check it out, because it’s among the best research we’ve seen on Duqu to date.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a

Get your morning news fix with the daily Salted Hash e-newsletter!