Skip to main content

Return of Duqu: Kaspersky discovers highly advanced new threat

Kaspersky has announced the discovery of a new highly sophisticated threat, Duqu 2.0, which follows on from the original Duqu and could create equal amounts of havoc.

The security firm notes that it detected an intrusion on its internal network back in the spring, and following further investigation, Kaspersky found this was the result of a new malware platform which is very advanced and powerful.

Kaspersky believes the group which launched the attack is the same party behind the 2011 Duqu affair, and it wasn’t just the security company which was targeted. This is apparently a nation-state sponsored campaign, with other victims having been targeted in the Western world, as well as the Middle East and Asia.

Some of these infections, from this year and last, are linked to the P5+1 negotiations with Iran which involved diplomatic efforts to prevent the latter country from obtaining a nuclear weapon.

As for the attack on Kaspersky, the firm believes the goal was to steal information regarding its newest security technologies, including fraud prevention and Anti-APT solutions. The company notes that this info in no way relates to the operation of its products such as its popular internet security suite.

The attack was of such sophistication that it left almost no trace whatsoever, changing no system settings, and leaving no files behind.

Such is the advanced nature of this attack, Kaspersky believes that the attackers were confident their intrusion would be “impossible” to discover.

Costin Raiu, Director of Kaspersky Lab’s Global Research and Analysis Team, commented: “The people behind Duqu are one of the most skilled and powerful APT groups and they did everything possible to try to stay under the radar. This highly sophisticated attack used up to three zero-day exploits, which is very impressive – the costs must have been very high.

“To stay hidden, the malware resides only in kernel memory, so anti-malware solutions might have problems detecting it. It also doesn’t directly connect to a command-and-control server to receive instructions. Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers’ command and control servers.”