Duqu Trojan Command and Control Server Found in Mumbai, India

News of Duqu- a large-scale trojan attack surfaced over the Internet, last week. The impact of Duqu measures up to the likes of Stuxnet, as it attacks mission critical systems. Duqu was discovered by Symantec, which claimed that it had code similar to the Stuxnet trojan. This malware has raised concern in the world of security as it has been devised to raise mayhem in industrial fields, just like Stuxnet. The primary targets of Duqu are oil refineries, power plants and pipeline systems.
Duqu seems to have a very similar scare-factor as Stuxnet because it attacks critical industries. Although, it is not related to Stuxnet in any way, the complicated nature of Duqu makes it look like a well-funded attack, probably by a government. The first piece of evidence in Duqu was found at Web Werks, which is a web-hosting company based in Mumbai. The Department of Information Technology in India received a tip from Symantec, and the Indian Computer Emergency Response Team  visited Web Werks offices. They seized two hard-drives with information of the trojan. Apparently, the hosting at Web Werks was used to run their command-and-control center. However, the complicated nature of the trojan makes it hard for a quick analysis.

The Duqu trojan as  explained by Symantec  is,

W32.Duqu is a worm that opens a back door and downloads more files on to the compromised computer. It also has rootkit functionality and may steal information from the compromised computer.  Initial analysis of this threat has shown that it is related closely to the W32.Stuxnet worm from 2010.

Although the affected system list does not include Windows 7, it includes all possible Windows versions before Windows 7 all the way to Windows 95.  However, you may be surprised to see that the Symnatec page on Duqu lists it as a low severity.

Web Werks has failed to track down the dubious customer who owned the h0sting account and the Indian Department of Information Technology is yet to unearth the mysteries contained in the seized drives. A second command-and-control center has been located in Belgium, recently.

In the meanwhile, CrySys laboratories in Hungary got hold of an installer for Duqu and claims that it exploits an unknown vulnerability in the Windows kernel. The attack spreads through a .doc (word document) file and is being distributed though social engineering. The safest way to protect against the worm is to follow email best practices and to steer clear of anything that looks fishy, especially dubious word documents.

Published by

Chinmoy Kanjilal

Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. You can connect with him on Twitter @ckandroid.