During our research on the Winnti group we discovered a considerable amount of Winnti samples targeting different gaming companies. Using this sophisticated malicious program cybercriminals gained remote access to infected workstations and then carried out further activity manually.

Naturally, we were keen to find out how the malicious libraries spread across a local network. To do so, we tracked the attackers- activity on an infected computer.

1^st attempt: virtual machine #1

At the beginning of the investigation we ran the malicious programs on a virtual machine, which worked fairly well - we even spotted some cybercriminal activity. But they quickly realized it wasn-t a computer they wanted to net. Once that was the case, the attackers- servers stopped responding to requests from bots working on virtual machines.

This is what we managed to learn at this stage of our monitoring.

First of all, the perpetrators looked at what was happening on the victim-s desktop. After that they enabled the remote command line and used it to browse the root folder of the current disk, searched for the file winmm.dll, and checked the operating system version. The ListFileManager plugin then came into play. It works with the file system and the attackers used it to browse the folders C:\Windows and C:\Work. Then they tried to restart the computer, but made a mistake in the parameters of the ?shutdown� command, having typed ?shutdown /t /r 1� (the computer should have been restarted in 1 second), but after a while they shut the computer down completely with the use of the correct command ?shutdown /s /t 1�.

Today Kaspersky Lab's team of experts published a detailed research report that analyzes a sustained cyberespionage campaign conducted by the cybercriminal organization known as Winnti.

According to report, the Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active.

The group's objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects.

The attackers' favorite tool is the malicious program we called "Winnti". It has evolved since its first use, but all variants can be divided into two generations: 1.x and 2.x. Our publication describes both variants of this tool.

In our report we publish an analysis of the first generation of Winnti.

The second generation (2.x) was used in one of the attacks which we investigated during its active stage, helping the victim to interrupt data transfer and isolate infections in the corporate network. The incidents, as well as results of our investigation, are described in the full report (PDF) on the Winnti group.

The Executive Summary is available here.

Is this research about a gaming Trojan from 2011? Why do you think it is significant?

This research is about a set of industrial cyberespionage campaigns and a criminal organization which massively penetrates many software companies and plays a very important role in the success of cyberespionage campaigns of other malicious actors.

It is important to be aware of this threat actor to understand the broader picture of cyberattacks coming from Asia. Having infected gaming companies that do business in the MMORPG space, the attackers potentially get access to millions of users. So far, we don't have data that the attackers stole from common users but we do have at least 2 incidents where the Winnti malware was planted on an online game update servers and these malicious executables were spread among a large number of the online gamers. The samples we observed seemed not to be malware targeting end user gamers, but a malware module which accidentally got into wrong place. Hoever, the potential for attackers to misuse such access to infect hundreds of millions of Internet users creates a major global risk.

It's important to understand that many gaming companies do business not only in gaming, but very often they are also developers or publishers of different other types of software. We have tracked an incident where a compromised company served an update of their software which included a Trojan from the Winnti hacking team. That became an infection vector to penetrate another company, which in turn led to a personal data leak of large number of its customers.

So far, this research is dedicated to a malicious group that not only undermines trust in fair gameplay but has a serious impact on trust in software vendors in general, especially in the regions where the Winnti group is active at the moment.

What are the malicious purposes of this Trojan?

The Trojan, or to be precise, a penetration kit called Winnti includes various modules to provide general purpose remote access to compromised machines. This includes general system information collection, file and process management, creating chains of network port redirection for convenient data exfiltration and remote desktop access.

Is this attack still active?

Yes, despite active steps to stop the attackers by the revocation of digital certificates, detection of the malware and an active investigation, the attackers remain active, with at least several victim companies around the world being actively compromised.

How easy is it for bad guys to buy valid digital certificates from CAs using fake data and then start signing Trojan bankers with them? In Brazil it appears to be very easy.

Today most software developers digitally sign their programs. The process involves Certification Authorities (CAs) that must verify the authenticity of the files and issue a certificate to the developers.

As we know, valid or stolen digital certificates are used by some malware authors to create files that can go undetected for some time and be recognized as legitimate. Now Brazilian cybercriminals have started using this technique in their malware in an attempt to gain more time to spread files undetected. Recently we found a Trojan banker signed with a valid digital certificate issued by a CA. It appears that fake company data was used to obtain the certificate.

How easy is it for a CA to check if the data they receive is legitimate or not? Brazilian cybercriminals registered a domain called gastecnology.org, copying the name of a well-known and trusted local software company. This is the data used to register the domain:

In our FAQ on Flame posted on May 28, 2012, we postulated there might be a still undiscovered zero-day vulnerability in Flame:

“At the moment, we haven’t seen use of any 0-days; however, the worm is known to have infected fully-patched Windows 7 systems through the network, which might indicate the presence of a high risk 0-day.”

Our suspicion was heightened because fully patched Windows 7 machines were being infected over the network in a very suspicious manner.

We can now confirm this is the main purpose of a special module of Flame called “Gadget” together with another module called “Munch”.

(NOTE: It’s important to understand that the initial Flame infection could still be happening through zero-day vulnerabilities. The “Gadget” module is simply used to spread within a network from a machine that is already infected with the malware).

The “Gadget” and “Munch” modules implement an interesting man-in-the-middle attack against other computers in a network.

When a machine tries to connect to Microsoft’s Windows Update, it redirects the connection through an infected machine and it sends a fake, malicious Windows Update to the client.

The fake update claims to be the following:

“update description="Allows you to display gadgets on your desktop."
displayName="Desktop Gadget Platform" name="WindowsGadgetPlatform">

In the process of infecting a client, 8 CAB files are used. One of them contains a specifically built program called WuSetupV.exe:

This program (also detected as Worm.Win32.Flame.a), which is 28KB in size, has been signed by a fake Microsoft certificate:

This allows it to run in the victim’s machine without any warnings.

The Flame “Gadget” downloader was compiled on December 27th, 2010. It was signed on December 28 and it was finally put into the CAB archive on Jan 11, 2011.

The following is exactly how the process occurs: the infected machine sets up a fake server by the name “MSHOME-F3BE293C”, which hosts a script that serves a full body of the Flame malware to victim machines. This is done by the module called “Munch”.

When a victim updates itself via Windows Update, the query is intercepted and the fake update is pushed. The fake update proceeds to download the main body and infect the computer.

Gadget plugin downloads the main body of the malware

The interception of the query to the official Windows Update (the man-in-the-middle attack) is done by announcing the infected machine as a proxy for the domain. This is done via WPAD. To get infected, the machines do need however to have their System Proxy settings configured to “Auto”.

As we continue our investigation of Flame, more and more details appear which indicate our initial statement: this is one of the most interesting and complex malicious programs we have ever seen.

Important information: One June 4th, 2012, Microsoft released a number of blog posts and an Update for Windows which is blocking three fraudulent certificates used by Flame. We recommend that Windows users apply this update immediately.

Microsoft SRD blog:http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx

Microsoft security advisory 2718704:http://technet.microsoft.com/en-us/security/advisory/2718704

MSRC blog:http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx

Post was updated 19.03.2012 (see below)

In the last few days a malicious program has been discovered with a valid signature. The malware is a 32- or 64-bit dropper that is detected by Kaspersky Lab as Trojan-Dropper.Win32.Mediyes or Trojan-Dropper.Win64.Mediyes respectively.

Numerous dropper files have been identified that were signed on various dates between December 2011 and 7 March 2012. In all those cases a certificate was used that was issued for the Swiss company Conpavi AG. The company is known to work with Swiss government agencies such as municipalities and cantons.

Information about the Trojan-Dropper.Win32.Mediyes digital signature

In this webcast, Kaspersky Lab senior security researcher Roel Schouwenberg talks about the Diginotar certificate authority breach and the implications for trust on the Internet. Schouwenberg also provides a key suggestion for all major Web browser vendors.

The SSL PKI has been in use and implemented for 15 years now to secure online communications. From its initial proprosals and immediate growth, the need for secured online communications has been met with challenges. The infrastructure and protocol itself is showing signs of wear, with multiple attacks and corrections to the scheme itself. And in its 15th year, an alternative to the Cerificate Authority infrastructure is finally being given some competition with the release and debate around Convergence, an open source alternative to the current system of Certificate Authorities. Feel free to right click and download for the full sized version; the graphic below provides a list of some of the major events for SSL/TLS PKI in the past 15 years.

Our investigation and research of Duqu malware continues. In our previous report, we made two points:

• there are more drivers than it was previously thought;
• it is possible that there are additional modules.

Besides those key points, we concluded that unlike the massive Stuxnet infections, Duqu attacks are limited to an extremely small number of targets.

But before informing you about our new findings, I would like to pay tribute to the Hungarian research laboratory Crysys for their work. They were the first who analyzed Duqu components and generated an excellent report. It was later provided to antivirus vendors and became the basis of further investigations. (Unfortunately, our company was not the first to receive this report, but now it's even more interesting to find out everything about Duqu)

Our experts continue to conduct in-depth analysis of all Duqu components, and are finding more evidence of similarities between Duqu and Stuxnet. A detailed report with our experts' analysis of files and their structure is in progress and will be published later. This part of our research is not the most urgent. It is much more important to understand the details of the attacks and the facts, which will be discussed here.

First of all, we feel it necessary to clarify some of the confusion surrounding the files and their names related to this incident. To get a full understanding of the situation you only need to know that we’re talking about just two malicious programs here (at a minimum) - the main module and a keylogger. All that has been mentioned in last 24 hours about connections between Duqu and Stuxnet is related mostly to the first one - the main module.

The main module consists of three components:

• a driver that injects a DLL into system processes;
• a DLL that has an additional module and works with the C&C; and
• a configuration file.

The module is very similar to Stuxnet - both in structure and in behavior. However, the name Duqu has almost no connection with it. This name is based on the names of the files that are related to a completely different malicious spy-program!

This second malicious program, which is basically a keylogger (but is also able to collect other types of information) was discovered on the system of one of the victims together with the main module described above. Because of this fact, plus the main module’s ability to download other components, it was assumed that the main module and the keylogger were somehow related to each other. While working in a system, the keylogger stores collected data in files with names like ~DQx.tmp. So the name of the main module – Duqu – was given based on these files.

But actually, the code of the Trojan-Spy in part proves the connection between it and the main module, and it was probably downloaded by the main module sometime earlier. But as per its functionality, it is an independent malicious application able to work without the main module. At the same time, the main module is able to work without the Trojan-Spy. However, the connection between the keylogger and Stuxnet is not so obvious, and that’s why it’s possible – at a stretch – to perhaps call it a grandchild of Stuxnet, but certainly not its child :)

Updated March 27, 2012 (Scroll down to bottom)

This is an active investigation by Kaspersky Lab's Global Research & Analysis Team. We will be updating this FAQ document as necessary.

What exactly is Duqu? How is it related to Stuxnet?

Duqu is a sophisticated Trojan which seems to have been written by the same people who created the infamous Stuxnet worm. Its main purpose is to act as a backdoor into the system and facilitate the theft of private information. This is the main difference when compared to Stuxnet, which was created to conduct industrial sabotage. It's also important to point out that while Stuxnet is able to replicate from one computer to another using various mechanisms, Duqu is a Trojan that doesn't seem to replicate on its own.

Does this target any PLC/SCADA equipment? Exactly who/what are the targets? Do we know?

Unlike Stuxnet, Duqu doesn't target PLC/SCADA equipment directly, although some of its subroutines could be used to steal information related to industrial installations. It appears that Duqu was created in order to collect intelligence about its targets, which can include pretty much anything that is available in digital format on the victim’s PC.

How does Duqu infect computers? Can it spread via USB devices?

In the cases we have analysed, Duqu infects a computer through a targeted attack involving a Word document which exploits the CVE-2011-3402 vulnerability. This is a 0-day vulnerability in the Windows kernel component Win32k.sys which allows the attackers to run code with the highest privilege level, bypassing pretty much most of the protection mechanisms from Windows or security software. According to our knowledge, Duqu is the only malware using this vulnerability to infect computers. All Kaspersky Lab security solutions detect this vulnerability under the name Exploit.Win32.CVE-2011-3402.a as of November 6, 2011.

Is there any exploit, especially zero-day in Duqu?

There is indeed a 0-day vulnerability being used to infect computers in the initial phase. Microsoft released an advisory (2639658) with basic information and mitigation steps.

How did AV vendors become aware of this threat? Who reported it?

Duqu was brought to the attention of the security community by the Hungarian Research Lab CrySyS. They were the first to point out the resemblance to Stuxnet and perform what remains the most thorough analysis of the malware yet.

When was this threat first spotted?

The first Duqu attacks were spotted as early as mid-April 2011. The attacks continued in the following months, until October 18, when news about Duqu was made public.

How many variants of Duqu are there? Are there any major differences in the variants?

It appears that there are at least seven variants of the Duqu drivers, together with a few other components. These are all detected with different names by various anti-virus companies, creating the impression that there are multiple different variants. At the time of writing, we are aware of two Infostealer components and seven different drivers. Additionally, we suspect the existence of at least another Infostealer component which had the capability to directly search and steal documents from the victim's machine.

There is talk that this specifically targets Certificate Authorities. Is this true?

While there are indeed reports indicating that the main goal of Duqu is to steal information from CAs, there is no clear evidence at this time to support this claim. On the contrary, we believe the main purpose of Duqu was different and CAs were just collateral victims.

Symantec says this is targeted to specific organizations, possibly with a view to collecting specific information that could be used for future attacks. What kinds of data are they looking for and what kinds of future attacks are possible?

One suspicion is that Duqu was used to steal certificates from CAs that can be used to sign malicious code in order to make it harder to catch. The functionality of the backdoor in Duqu is actually rather complex and it can be used for a lot more. Basically, it can steal everything, however, it looks like attackers were particularly interested in collecting passwords, making desktop screenshots (to spy on the user) and stealing various kinds of documents.

Is the command-and-control server used by Duqu still active? What happens when an infected machine contacts the C&C?

The initial Duqu C&C server, which was hosted in India is no longer active. Just like in the case of Stuxnet, it was pulled offline pretty quickly once the news broke. In addition to this, we are aware of another C&C server in Belgium, which was also quickly taken offline. Actually, it appears that every single Duqu targeted attack used a separate C&C server.

Why is Duqu configured to run for 36 days?

Maybe the author was a fan of round numbers, such as 6x6? :) Actually, the time for which Duqu is running in the system is defined by the configuration file and varies between the attacks. We have also seen instances where the duration was set to 30 days.

Who is behind this attack?

The same gang who was behind Stuxnet. Curiously, they seem to have picked up an interest in astronomy; the infostealer executable has a portion of a JPEG file picked up by the Hubble telescope (“Interacting Galaxy System NGC 6745”):

The picture portrays the aftermath of direct collision of two galaxies(!), several million of years ago. You can read the story here.

UPDATE (November 15, 2011):

Q: What exactly is being stolen from the target machines?

When activated, the main Duqu program body connects to its C&C server and downloads updates and supplemental modules. One such module is the Duqu "infostealer," for which two versions are known and others are believed to have existed at various points in the time.

The "infostealer" module is downloaded in memory and executed through the process injection technique used by Stuxnet and Duqu to avoid temporary files. This is done in order to make sure that the "infostealer" component (and other Duqu updates) will not be intercepted or left behind on an infected machine. It also means that they have a limited lifetime, basically until the next system reboot.

The most powerful version of the "infostealer" has the ability to intercept keystrokes, it makes screenshots of the whole screen (first time) and of the active window, collects the IE browsing history and various data related to the system network configuration. There is also code which can do browsing of network shares. All this information is nicely packaged into a file that is written into the %TEMP% folder by default. It is a compressed BZIP2 format with modified headers. Thanks to the BZIP2 compression, the files are smaller than you'd think.

The "infostealer" components we have seen create files with the name "~DQx.tmp". In addition to this, we are aware of other files with the name "~DFxxxxx.tmp" and "~DOxxxxx.tmp". The "DF" and "DO" have a similar format and appear to have been generated by an earlier version of the "infostealer". They also contain more information, including various files the victim PC such as Word or Excel documents. The "~DF" files are generally much bigger, due to their additional file content.

In all cases, they are easy to recognize by the header "ABh91AY&SY". If you find such files in your PC then most likely you've been a victim of Duqu. If you'd like to scan your system for such files, the nice people at CrySyS have a set of tools that can help.

Q: I heard that Duqu and Stuxnet are written by the same people. I also heard that Duqu and Stuxnet are written by different people. What is the truth?

Duqu and Stuxnet have a lot of things in common. Usage of various encryption keys, including ones that haven't been made public prior to Duqu, injection techniques, the usage of zero-day exploits, usage of stolen certificates to sign the drivers, all of these make us believe both have been written by the same team.

So, what does that mean exactly? Simply put, different people might have worked on Duqu and Stuxnet, but most likely they worked for the same "publishing house." If you want an analogy, Duqu and Stuxnet are like Windows and Office. Both are from Microsoft, although different people might have worked on them.

Q: What is the link between Duqu and Showtime's Dexter?

In the incidents we have analyzed, Duqu arrives in the system in the form of a Microsoft Word Document. The document contains an exploit for the vulnerability known as CVE-2011-3402. This is a buffer overflow in a function of Win32k.sys which deals with True Type fonts. To exploit this specific vulnerability, an attacker needs to craft a special True Type Font and embed it into a document, for instance, a Word Document.

Now, for the connection part - in the incident we've analyzed (and this is also true for the other known incident), the attackers used a font presumably called "Dexter Regular", by "Showtime Inc.," (c) 2003. This is another prank pulled by the Duqu authors, since Showtime Inc. is the cable broadcasting company behind the TV series Dexter, about a CSI doctor who also happens to be a serial killer who avenges criminals in some post-modern perversion of Charles Bronson's character in Death Wish.

Q: So, are the Duqu authors sociopath serial killers with an interest in computer malware?

We hope they are just fans of Dexter.

Q: Stuxnet contains a particular variable which points to May 9, 1979, the date when a prominent Jewish businessman called Habib Elghanian was executed by a firing squad in Tehran. Are there such dates in Duqu as well?

Interestingly, the same constant can be found in Duqu as well. The Hungarian CrySyS lab was the first to point out the usage of 0xAE790509 in Duqu. In the case of Stuxnet, the integer 0x19790509 is used as an infection check; in the case of Duqu, the constant is 0xAE790509.

What is less known is that 0xAE790509 was also used in Stuxnet, however, prior to Duqu this was not included in any of the public analyses we are familiar with.

There are also many other places where the constant 0xAE is used, both in Duqu and Stuxnet.

Finally, the constant 0xAE240682 is used by Duqu as part of the decryption routine for one of the known PNF files. In case you are wondering, 24 June 1982 is indeed an interesting date - check out the case of BA flight 9.

* Research by Kaspersky Lab Global Research & Analysis Team.

Further reading:

Part One. Connections between Duqu and Stuxnet. October 20th, 2011

Part Two. One of the first real infection cases took place in Sudan. October 25th, 2011

Part Three. Detection of the main missing link – a dropper that performed the initial system infection. November 02, 2011

Part Four: Enter Mr. B. Jason and TV’s Dexter. Puzzles with a photo of the NGC 6745 galaxy and the TV series Dexter. November 11, 2011

Part Five. Review of Duqu’s components. November 15, 2011

Part Six. Researching the Command and Control infrastructure used by Duqu. November 30, 2011

Part Seven. Stuxnet/Duqu: The Evolution of Drivers. December 28, 2011

Part Eight. The mystery of the Duqu Framework

Part Nine. The mystery of Duqu Framework solved

Part Ten. The mystery of Duqu: Part Ten

---

Podcast

Costin Raiu of Kaspersky Lab's Global Research and Analysis Team talks about the investigation into Duqu, the likelihood that it was written by the same team as Stuxnet, whether a government is behind its development and what mistakes the authors made.

Download the podcast from the Threatpost site.