First it was Stuxnet believed to be created by Israel with US assistance, now it is the new Duqu virus. Via Elder of Ziyon:
From Reuters:
Iran said on Sunday it had detected the Duqu computer virus that experts say is based on Stuxnet, the so-called "cyber-weapon" discovered last year and believed to be aimed at sabotaging the Islamic Republic's nuclear sites.
The head of Iran's civil defense organization told the official IRNA news agency that computers at all main sites at risk were being checked and that Iran had developed software to combat the virus.
Iran's PressTV says Iran has developed a software program that can “control” the newly discovered Duqu spyware. However, as Elder of Ziyon also reports:
Microsoft has been unable to create a patch for the exploit being used by Duqu yet, but it did release a workaround.
Duqu installs a Trojan that steals data from machines, seemingly as a precursor for a much bigger attack. It seems to have a lot of code in common with Stuxnet...
What is DUQU?
Dubbed as "STUXNET 2.0," the malware DUQU made IT security industry headlines in the middle of October 2011, after it was called as "the precursor of a future Stuxnet-like attack".
This threat was given the name DUQU because its created files were found having the prefix "~DQ".
DUQU is believed to be written by the same authors of STUXNET. STUXNET, which was spotted in July 2010, targeted SCADA systems—critical control systems that run complex infrastructure such as those that run transportation systems, water systems, and oil refineries, among others.
However, based on analysis, DUQU does not have any capability to access SCADA systems (continue at Trend Micro)
Here's more as it pertains to all, via Trend Micro:
We have been closely monitoring developments on the DUQU malware since our initial blog post when the threat broke the news. And just recently, the Hungary-based security laboratory that initially reported about DUQU released more information that sheds more light into the nature of the said threat.
Their report indicates that a Microsoft Word document that triggers a zero-day kernel exploit was identified as the dropper for DUQU. Upon successful exploitation, the Microsoft Word file drops the installer files that load the DUQU components that were initially reported a couple of weeks back.
The installer files are composed of a .SYS file detected as RTKT_DUQU.B, and a .DLL file detected as TROJ_DUQU.B. RTKT_DUQU.B loads TROJ_DUQU.B into the system. TROJ_DUQU.B, on the other hand, drops and decrypts the DUQU components, RTKT_DUQU.A, TROJ_DUQU.ENC, and TROJ_DUQU.CFG. Below is a simple behavior diagram of the threat.
We have been closely monitoring developments on the DUQU malware since our initial blog post when the threat broke the news. And just recently, the Hungary-based security laboratory that initially reported about DUQU released more information that sheds more light into the nature of the said threat.
Their report indicates that a Microsoft Word document that triggers a zero-day kernel exploit was identified as the dropper for DUQU. Upon successful exploitation, the Microsoft Word file drops the installer files that load the DUQU components that were initially reported a couple of weeks back.
The installer files are composed of a .SYS file detected as RTKT_DUQU.B, and a .DLL file detected as TROJ_DUQU.B. RTKT_DUQU.B loads TROJ_DUQU.B into the system. TROJ_DUQU.B, on the other hand, drops and decrypts the DUQU components, RTKT_DUQU.A, TROJ_DUQU.ENC, and TROJ_DUQU.CFG. Below is a simple behavior diagram of the threat.
does it take the nukes down?...lol .Hope u had a nice weekend~!:)
Posted by: Angel | November 13, 2011 at 09:19 PM
Snake Hunter Sez,
What Ever It Takes!
reb
___ ___
Posted by: Ralph E. | November 13, 2011 at 09:52 PM
Can't come soon enough.
Posted by: Opus #6 | November 13, 2011 at 09:56 PM