Duqu spawned by 'well-funded team of competent coders' The Duqu malware that targeted industrial manufacturers around the world contains so many advanced features that it could only have been developed by a team of highly skilled programmers who worked full time, security researchers say. The features include steganographic processes that encrypt stolen data and embed it into image …
"Given the complexity of the system (solid driver code plus impressive system architecture) it is not possible for this to have been written by a single person, nor by a team of part-time amateurs".
Riiggght. Because part-time amateurs can't produce complex code. Sorry Linus. Sorry Bill Joy. Sorry Professor Knuth.
It doesn't matter whether Duqu was produced by a 13-year old teenage girl in her bedroom or the Chinese secret service, this type of thinking is lazy.
I came here to say the same thing. I can think of a dozen people in the games industry who can sit down and write solid driver code and impressive system architecture (by which they mean rolling your own steganography and writing a plugin layer?! ... who are these idiots?) A friend of mine wrote a virtualizing rootkit only a few months ago, just for shits and giggles.
In fact, I've yet to see either solid driver code *or* impressive system architecture created by a team ... :)
Just take a look at this quote from the linked NSS article:
>"NSS engineers have developed a scanning tool that can be used to detect all DuQu drivers installed on a system. [ ... ] Because it is using advanced pattern recognition techniques, it is also capable of detecting new drivers as they are discovered"
This is demonstrably bullshit, as anyone can see for themselves by taking a look at the open-sourced python code for this tool:
https://github.com/halsten/Duqu-detectors/blob/84eafcb95f4b1cf3708803f484398245f08e582c/DuquDriverPatterns.py
It is completely bogus to call this code "advanced pattern recognition". It has twelve fixed signatures, stored in arrays of hex bytes, and it walks the filesystem, opens and mmaps each file, and calls the Python mmap.find(...) function to search for each of the signatures in the opened file. No heuristics, no deobfuscation or anti-polymorphism techniques, nothing but a plain substring search.
In other words, this is a trivial string matcher, less advanced than "grep", about on a level with the DOS "find" command. If that's what these guys think is "advanced", it could explain their overestimating how subtle Duqu is; perhaps they just need to recalibrate their judgement a bit. Or a lot.
"The features include steganographic processes that encrypt stolen data and embed it into image files before sending it to attacker-controlled servers, an analysis by NSS researchers found."
Actually, if you bother to follow the link to the NSS report, you'll see that its authors, being knowledgeable researchers, don't use the word "steganography" at all. And rightfully so, because Duqu doesn't use it. Obviously, the ElReg reporter has heard the buzzword from somewhere, has half-understood it, hasn't even looked at the Duqu code, and has decided to include this buzzword in his article to make it more "juicy".
What Duqu does, is APPEND (not "embed") the collected and encrypted information at the end of JPG images. The reason for this is to conceal the fact that it is sending such information from casual observers of the 'net traffic. However, if somebody is actually LOOKING for this info in these JPG images, it is blindingly obvious that it is there.
As opposed to that, when REAL steganography is used, the information is encoded by toggling single bits in the image. If it is done right, it is practically IMPOSSIBLE to detect that hidden information is present in the image, unless you have the original image to compare it with. Calling what Duqu does "steganography" is like calling wearing sunglasses a "professional disguise".
As for the similarity between Duqu and Stuxnet, it is more appropriate to say that one of the components of Duqu is very similar to one of the components of Stuxnet. But the similarity ends here.
You want to learn to screw people over for fun and profit, just study how the big boys in the corporate software game make their money!
I suspect it's modular for the bloody good reason that they're copying the business world. The base product is free but if you want the real stuff that nets the good gear, you're gonna have to pay for the subscription upgrades. Oh and don't think you're gonna get a perpetual license, the license keys they give will no doubt be time limited!
"Duqu is also the world's first known modular plugin rootkit,[...] "
No it's not. Anyone remember Back Orifice 2000? BO2K allowed - um, users - to add or remove plugins on the fly. Sneak a tiny server on to a "victim" machine, and then once it's in, you can add in plugins that support strong encryption, keylogging, live desktop, IRC command and control, etc.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
