Researchers Discover New Duqu Variant That Tries to Evade Antivirus Detection - masonhimought

Surety researchers have discovered a new variant of the Duqu cyberespionage malware that was designed to evade detection aside antivirus products and other security tools.

Researchers from Symantec announced the discovery of a radical Duqu driver, the component responsible for loading the malware's encrypted body, on Monday via Twitter. The driver is known as mcd9x86.sys and was compiled connected Feb. 23, said Vikram Thakur, chief security response manager at Symantec.

Originally discovered in October 2011, Duqu is attendant the Stuxnet industrial sabotage worm, with which information technology shares portions of code. Withal, unlike Stuxnet, which was created for blasting purposes, Duqu's capital end is stealth sensitive information from particular organizations around the world.

The discovery of the new driver is a clear meter reading that the Duqu authors are continuing their mission, said Thakur. "No amount of public awareness about Duqu has deterred them from victimization it to accomplish their objective."

"I think when you invest as very much money as invested with into Duqu and Stuxnet to create this flexible frame, it's impossible to simply throw it away and start up from zero in," aforementioned Costin Raiu, director of Kaspersky Lab's ball-shaped explore and analysis team. "We always said that future variants of Duqu and Stuxnet will most likely be supported the same platform, but with enough changes to make them indiscernible by security department software. Indeed, this is the case present."

The source code of the radical device driver has been reshuffled and compiled with a different rigid of options than those used in previous versions. IT also contains a different subroutine for decrypting the constellation block and loading the malware's consistency.

"We let seen this technique in October 2011, when the Duqu drivers were recompiled and bundled with new encryption subroutines, following the public disclosure," Raiu aforesaid.

The Duqu variant most likely uses a New command and control (C&C) server, since all previously known ones were shut bolt down on Oct. 20, 2011, Raiu said. However, neither Symantec nor Kaspersky researchers know the exact address of the new host, because they don't have the component that contains that information.

"We do not have the full Duqu body, only the loader in the form of the driver. The loader does non contact the C&C instantly, it only loads the main consistence which is stored in encrypted form," Raiu said.

Even if the virgin server would be known, IT would probably be configured in a manner that it wouldn't allow anyone to get too close to the veridical attackers, Thakur said. The Duqu authors are confident that the malware volition remain non-attributable, atomic number 2 said.

The organizations targeted by the new version are also unknown at the moment, just they're probably the same ones As in previous variants, Raiu aforesaid.

Source: https://www.pcworld.com/article/469228/researchers_discover_new_duqu_variant_that_tries_to_evade_antivirus_detection.html

Posted by: masonhimought.blogspot.com