Duqu – It’s Back!

Computerworld is reporting that the nasty malware Duqu is back.  After being undetected for several months, Symantec discovered a new driver release on February 23, 2012.

Liam O Murchu, manager of operations at Symantec’s security response team, is quoted as saying that the functionality of the new driver was “more or less the same” as earlier versions, including the one spotted last October and another from late 2010 that later surfaced. According to O Murchu,

It’s hard to tell whether they really did take several months off, and if so, why. It’s installed on a very small number of computers, and that low, low distribution number means that they could have released more attacks between November and February, but everyone missed that. Or it could mean that they have been quiet.

Alexander Gostev, who leads Kaspersky’s global research and analysis team, is quoted as saying that the Duqu driver was probably modified to slip past security software and Duqu-sniffing programs like the open-source Duqu Detection Toolkit.

Duqu appears to be spread by spearphishing, the hacking technique in which highly targeted socially engineered emails are sent to a very small number of people.  The purpose of a spearphishing email is to deceive the recipient into taking an action — in the case of Duqu that action is downloading an attachment that delivers the DuQu malware.

How effective is spearphishing?  The Department of Homeland Security researched this question.  DHS found that untrained employees opened spearphishing emails 22% of the time — after training the open rate was 21%.  Training people to avoid suspicious emails is essentially impossible because, as Lt. Col.  Gregory Conti,  IT professor at West Point observed in the New York Times,

“What’s ‘wrong’ with these e-mails is very, very subtle,” he said, adding: “They’ll come in error-free, often using the appropriate jargon or acronyms for a given office or organization.”

This is where SP Guard from Iconix comes into play.

SP Guard modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm.  Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:

SP Guard Inbox

SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix.  For further information, contact us at 408-727-6342, ext 3 or use our online form.


Comments are closed.