Smelling a RAT on Duqu
I have been doing research on Duqu and talking to security researchers I know who have also been working on it themselves. The bottom line is that Duqu is little more than hype. It’s also malware, but it’s easily fought malware. Mostly, though, it’s hype and hype that the perpetrators of which should be ashamed.
To be specific, Duqu is a RAT. That’s malware-speak for Remote Access Trojan, which is a common type of malware.
Duqu is not a relative of Stuxnet. It uses Return-Oriented Programming to exploit the Windows system it’s on. Return-Oriented Programming, or ROP, is a relatively new way to write malware. It works by finding convenient short snippets of code before return instructions and threading them together into a coherent bit of malware. ROP is perhaps best described in Hovav Shacham’s 2007 talk from Black Hat, “ Return-oriented Programming: Exploitation without Code Injection.”
ROP has been used in a lot of recent hacks. For example, the intrinsic OS security on iOS has gotten good enough that all of the recent jailbreaks have had to use ROP. Stefan Esser (a.k.a. i0n1c) has said that ROP is the only way left to exploit iOS. His 2011 Black Hat talk on the subject goes into this in detail and is also a good source on the subject.
ROP was also used extensively in Stuxnet.
This is why Duqu resembles Stuxnet. At the risk of oversimplifying, they are each using convenient pieces of the Windows code base to assemble together a ROP-based Turing machine, and the actual program is a meta-program written as tables of these ROP code fragments. If that sounds complex enough to make your eyes bleed, it is. Nonetheless, all ROP programs resemble each other just as all windowing programs resemble each other (because they all manipulate windows) and all network servers resemble each other (because all network servers have to send, receive, and parse). All the cool kids are doing ROP these days. It’s hard to write, hard to analyze (look at how they fooled all the major virus people but one), and gets nods of respect even from graybeard kernel hackers like me.
It’s possible that whoever wrote Duqu may have stolen some actual code from Stuxnet. That’s easy to do, especially for any malware author who is skilled with a disassembler like IDAPro — which is only marginally smaller than the number of malware authors who are skilled at using a keyboard. It’s even more likely that the Duqu authors learned from Stuxnet. We coders do that all the time. We see something impressive and we learn from it. Nonetheless, saying that Duqu must have been written by the Stuxnet author because they resemble each other is jumping to a conclusion. It is a lot like looking at an Android phone and an iPhone and then concluding that they must have common authors. The nicest thing I can say about it is that that it’s premature and naive. The detective work alone (who has means, motive, and opportunity, etc.) tells you they’re not the same. Stuxnet was made by someone who doesn’t like Iran and doesn’t like uranium refining. Once you take off the frosting and sprinkles, this is just a RAT.
Duqu has the amusing feature that it deletes itself after 36 days, but thinking that that’s a reason it was written by the Stuxnet authors is just silly.
Duqu did have signed code. But in another grotesque bit of naïveté and hysteria, many of the reporters couldn’t see that there was nothing unique with this, either. Someone hacked a Taiwanese audio chipset manufacturer, and stole their code signing certificate and signed Duqu with the stolen certificate. That’s all.
Duqu is unlike Stuxnet in all other ways. Duqu does not manipulate control systems. It does not target CAs. Duqu is a RAT and nothing more. And nothing less, too. RATs are dangerous malware, but they’ve existed for as long as there has been malware. The hyperbole surrounding Duqu is not warranted.
In fact, most people involved in the Duqu story should be ashamed of themselves. The hype starts with McAfee, who named it “Duqu” because the malware creates files that start with “~DQ.” By giving it a scary name like Duqu, they lit the fire. They compounded it by stating categorically that it must have been written by the Stuxnet authors. McAfee has since rescinded their claim that the code signing certificate must have been misissued. My contempt extends outward to the credulous reporters everywhere who just let their brains fall out of their heads.
Kudos should go to both Symantec and Sophos for bringing some sanity to the situation. Fewer kudos to Symantec, because they got right that Duqu is merely a RAT, but they missed the ROP angle. They did get right, especially in updates that Duqu was signed with a stolen key.
Sophos, on the other hand, has written one of the few shining lights of perspective on this whole issue. Their article not only makes fun of the Duqu name, but calls the whole thing a conspiracy theory. I haven’t only because they beat me to it. They also humorously tie Duqu to a conspiracy involving Sergey Brin, Steve Ballmer, and Larry Ellison.
F-Secure wasn’t as good as Sophos, but were better than Symantec and pointed out a number of inconsistencies in the conclusions others were jumping to in their article.
In short, there’s little to see here. Someone wrote an interesting RAT. They signed it with a stolen key. The virus companies are on top of it. Everything else is hype.