Much Ado About Duqu

By Ryan Majeau | Posted October 21st, 2011 in Faronics blogs for

A new buzzword compliant piece of malware made headlines this week. Duqu—a next generation zero-day advanced persistent threat. It’s used in coordinated spear-phishing attacks to gather intelligence data from industrial control systems. Pretty sexy stuff! A nasty threat, but you can protect yourself from it.

If you’re not a security researcher or hobbyist (and you’re still reading), you might have a few questions. By popular request, I will attempt to answer those questions, relying on the 46 page whitepaper our friends at Symantec have helpfully put together.

1. What is Duqu?

Duqu is a driver file, a DLL, and a configuration file. They install by an executable file. Once installed and active, bad things can happen. Things like logging your keystrokes and spying on you. This could change over time though since Duqu appears to have the ability to receive new instructions over the Internet.

2. Why is it getting so much attention?

Duqu is sexy. It really is. Its code is very much Stuxnet style (last year’s sexy threat because it targeted nuclear weapon systems), making Duqu a fresh new spin on yesterday’s news. The fact Duqu is based on Stuxnet implies the authors of Stuxnet are still active.

3. Am I at risk?

The truth is, probably not. Well, unless you’re the IT guy for a nuclear weapon site or one of the specifically targeted industries. However, you are at risk every single day from a zero-day attack. The attention Duqu is getting is a good reminder of that. Yes, I derided “zero-day” as being a buzzword above, but zero-day threats are always a legit concern.

4. How do I protect myself?

A layered security approach will protect you against Duqu or any zero-day threat.

Anti-virus software with updated definitions will keep you safe. Most anti-virus products available have been updated but there are some that haven’t yet. This delay puts you at risk.

Application whitelist software doesn’t rely on definitions and would have kept you protected at all times. If it’s not on your list, it doesn’t run. The executable used to install Duqu would have been blocked. Even if it hadn’t, the DLL used by Duqu would have.

Instant system restore software wouldn’t really protect you from the initial infection, but it would remove Duqu as soon as your system was restarted. That the basis of the reboot-to-restore concept. Anything can happen to your computer during a session, but all changes are gone after restart.

I hope that those of you who are still awake after reading this found it somewhat useful. Let me know if you have any questions about Duqu!