Security vendor Kaspersky Lab has identified infections with the new Duqu malware in Sudan and, more importantly, Iran, the main target of the Trojan’s predecessor — Stuxnet.
Duqu took the security industry by storm last week when the Hungarian research laboratory Crysys shared its analysis of the new threat with the world’s top antivirus vendors.
Believed to be closely related to the Stuxnet industrial sabotage worm, from which it borrows code and functionality, Duqu is a flexible malware delivery framework used for data exfiltration.
The main Trojan module has three components: a kernel driver, which injects a rogue library (DLL) into system processes; the DLL itself, which handles communication with the command-and-control server and other system operations, like writing registry entries or executing files; and a configuration file.
The secondary module is a keylogger with information-stealing capabilities, which was discovered together with the original Duqu version. It’s not known with certainty when the malware appeared in the wild, but the first sample was submitted to the VirusTotal service on Sept. 9 from someone in Hungary.
via Network World, continued here.