Duqu2 Malware Trail – From Kaspersky Labs to Iranian Nuclear Talks

Gene Kaspersky, head of the Russian anti-malware vendor and security research labs reported yesterday that the malware that infected his labs last year was also found … drum roll … at the hotels for the delegates to the Iranian nuclear talks (see article).

Gene Kaspersky
Gene Kaspersky, head of Kaspersky Labs

Kaspersky reported yesterday (see article) that their lab was the victim of a sophisticated attack that they detected in the early spring.  They said that the attack used three different zero day (previously unknown) vulnerabilities.

This malware, that they labelled Duqu2, does not write to disk, so anti-malware software that scans the disk cannot detect it.

The earlier version of Duqu used a bug in Microsoft Word.  This version uses a bug in the Microsoft Installer.

Gene said that while the attackers did get some material off their systems, they were detected early and they are confident that they removed the malware and that their customers are safe.

Fast forward to yesterday.  In the report, Kaspersky says that after they found this malware, they decided to do a little “spying” of their own to see where else this malware might be.

Given that their anti-malware software is loaded on tens of millions of computers, all they need to do is add a test for this particular malware and have the software tell them if it found it.

After scanning millions of computers, including thousands of hotels, they found it – on three luxury hotels in Europe.  What these hotels have in common is that each had hosted negotiations between Iran and the rest of the world over nuclear issues.

Hmmm.  Who might have an interest in that?  Russia?  United States?  Israel?  Kaspersky is not naming names – he doesn’t do that – but there are hints that he thinks it is Israel.  While Israel denies spying on the U.S. and other allies (except for those times where they got caught at it), they don’t deny that they spy on Iran.  However, they responded with a ‘no comment’ type of response when asked if this bug was theirs.  Assuming it was, there goes some valuable intel.

So what does Duqu2 do?  It is composed of 100 distinct modules that do different things.  One, for example, compresses video feeds – like you might get from a CCTV security camera.  Other modules targeted communications from phones to WiFi.  Another allowed them to eavesdrop on microphones in elevators, alarm systems and computers.

The FBI is reviewing Kaspersky’s report and said while they have not confirmed the report, it doesn’t surprise them that someone would attempt to attack those hotels.

U.S. officials said “We’re trying to keep as much security as we can, but nothing ever stays completely secret in this world we live in these days,”.   The British, German and French said ‘no comment’.

In today’s world, with as high stakes as these negotiations are, this is not much of a surprise.

Kaspersky says that the attack on them likely started when an employee in a satellite office in Asia clicked on an attachment and loaded the malware.  No doubt, they are running some anti-malware software 🙂 , so they detected the outbreak pretty quickly.

Pretty amazing stuff.


Leave a Reply

Your email address will not be published. Required fields are marked *