What is Duqu 2.0?

Cyber security

Kaspersky Lab revealed it was one of several targets hit by Duqu 2.0 - an advanced persistent threat (APT) used to spy on targets some believe include high-level nuclear talks.

Here we break down what Duqu 2.0 is, how it works, who wrote it, and whether you and your organisation could be at risk.

What is Duqu 2.0 and how does it work?

Duqu 2.0 is an extremely sophisticated malware that was detected in 2015, but has been active since at least spring 2014.

The worm is of a type known as an Advanced Persistent Threat (APT), which covertly enters computer systems and monitors processes and/or exfiltrates data silently.

These types of attack are normally levelled at enterprises and nation states, although they can spread beyond this, and Duqu 2.0 is no exception (see below).

Kaspersky Lab, which first detected the malware while testing a new cyber security tool, said "the philosophy and way of thinking of the Duqu 2.0 group is a generation ahead of anything seen in the APT world".

Duqu 2.0 uses three zero-day vulnerabilities in Microsoft's Windows operating systems - vulnerabilities that were unknown until they were exploited - and, after elevating its own privileges to domain administrator, spreads through the network via Microsoft Software Installer (MSI).

As the attack is executed in memory, rather than on disc, it leaves behind no trace, which, according to Kaspersky Lab, "[makes] detection extremely difficult".

Who has been affected?

The first organisation to detect Duqu 2.0 was Kaspersky Lab, whose own systems had been compromised by the worm.

According to founder Eugene Kaspersky, the malware was active in the company's network for around three months before it was detected.

Upon further investigation, the security firm found a variety of victims across the Western world, as well as the Middle East and Asia.

"Most notably, some of the new 2014-2015 infections are linked to the P5+1 events and venues [in Austria and Switzerland] related to the negotiations with Iran about a nuclear deal," said Kaspersky Lab.

The Duqu 2.0 group launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkeneau, attended by many foreign dignitaries and politicians, according to the company.

Symantec backed up Kaspersky Labs' findings, and also found two telcos, one in Europe and one in North Africa, which had been affected, as had a South East Asian electronic equipment manufacturer.

Why is it called Duqu 2.0 and who is behind it?

The name Duqu 2.0 has been applied to this particular malware as it seems to have been created by the same group that created the original Duqu malware, which was uncovered by CrySys Lab in 2011.

According to Symantec, "Duqu and Duqu 2.0 share large amounts of code, in addition to similarities in how that code is organised. The shared code includes a number of helper functions. For example ... there is a 'gen_random' function (as labelled by an engineer) that is shared between Duqu and Duqu 2.0".

"Not only is that gen_random code shared, but the code that calls that function is also organised almost identically. Such similarities in how code is called is repeasetd in several other locations throughout Duqu 2.0, including in how C&C (Command and Control) IP addresses are formatted, how network messages are generated, and how files are encrypted and decrypted," the company added.

Duqu also targeted Iran's nuclear programme, which seems to be at least one of the purposes of Duqu 2.0, given the infections found in Austria and Switzerland related to the P5+1 talks.

The question of who is behind Duqu 2.0 is a bit more complex.

Many security firms, including Symantec and F-Secure, believe Duqu, and thus Duqu 2.0, were created by the same group that created the infamous Stuxnet virus that vandalised the Natanz Nuclear Facility in Iran during 2010. Dell SecureWorks, however, disputed this relationship.

It is generally thought that Stuxnet was created as a collaboration between the Israeli Mossad and one or more of the United States' security agencies - it destroyed a fifth of Iran's nuclear centrifuges in 2009.

Kaspersky Lab believes Duqu 2.0 "is a nation-state sponsored campaign", but Eugene Kaspersky declined to name any country in particular. Others, however, have not been quite so coy, with current and former US intelligence officials telling the Wall Street Journal that Israel alone is behind both Duqu 2.0 and the original Duqu.

For its part, Israel has said that "international reports of Israeli involvement in the matter are entirely baseless" and suggested preventing "a bad agreement" with Iran should be the real focus of everyone's attention.

Analysis of Duqu 2.0 is ongoing and the location of its command and control servers is either not yet known or has deliberately not been revealed, although this is not necessarily a good indicator of the origin of malware anyway.

However, on 11 June, the office of the Swiss attorney general revealed police had in May carried out several raids across Geneva in relation to the attack and an investigation has subsequently been launched.

"The aim of this raid was on one hand to gather evidence and to on the other verify if information systems had been infected by malware," the Swiss authorities said, according to Agence France Presse. The federal office for the protection of the constitution and counter-terrorism in Austria also announced it has launched a separate investigation into the situation.

Am I at risk?

Given the nature of the attack, it is hard to say. Duqu 2.0 was deployed to a wide range of organisations, from Kaspersky Lab to hotels and hospitality locations to telcos, hardware makers and other undisclosed victims at locations around the world.

The greatest detail available is about the infection at Kaspersky Lab, where the malware silently monitored the company's R&D division, leaving everything else alone. However, Eugene Kaspersky said that it targeted different systems depending on where and what it infected. The attacks on the locations on the Iranian nuclear talks would seem to point to targeted cyber espionage, while the involvement of telcos could indicate a wider surveillance effort.

Symantec said that "given the diversity of targets, [it] believes that the Duqu attackers have been involved in multiple cyberespionage campaigns".

"Some organisations may not be the ultimate targets of the group's operations, but rather stepping stones toward the final target," the company added.

Kaspersky, meanwhile, said: "There is no doubt that this attack had a much wider geographical reach and many more targets. But judging from what the company already knows, Duqu 2.0 has been used to attack a complex range of targets at the highest levels with similarly varied geo-political interests."

One takeaway from this would be that, unless you are involved in providing equipment to political agencies, you would not be at risk. However, even highly-targeted attacks escape into the wild and can infect anyone.

How can I protect myself and my organisation, and what should I do if I'm infected?

The zero-day exploits used by Duqu 2.0 have been patched by Microsoft over the course of the past few months, with the final patch being issued as part of June's Patch Tuesday. Therefore, if you are not already infected and are up to date with your security patching, as far as anyone knows you should be safe.

However, Josh Cannell, malware intelligence analyst at Malwarebytes, told IT Pro: "Organisations that fear they may have been targeted by Duqu 2.0 should consult a security firm they're confident in to remove the infection.

"Information on Duqu 2.0 is still pouring in, and we don't understand everything about it yet. What we do know, however, is the most important thing an organisation can do is remove any infection as soon as it's detected."

An Indicators of Compromise file to check for signs of a Duqu 2.0 infection published by Kaspersky Lab can be found here.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.