Symantec researchers came across a driver file which appears to be a component of the infamous Duqu malware. The new driver was compiled on February 23, 2012, and it represents only a small part of the overall attack code.
The role of the driver is to load the rest of the threat after the computer restarts. Currently, experts are in search of the other components, but in the meanwhile they present a small analysis of Driver file.sys.
Duqu’s authors have made some minor changes to ensure that the piece of malware can avoid being detected by antivirus software.
The algorithm utilized to encrypt the other components on the hard disk was also modified and the stolen digital certificate that signed the previous versions of Duqu is no longer utilized.
This particular driver is pretending to be a Microsoft Class driver, bearing a different information version than the previously seen variants.
“Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active,” the Symantec report reads.
“Without the other components of the attack it is impossible to say whether any new developments have been added to the code since we last saw a release from the group in November 2011.”
Until Symantec or other security solutions provider uncovers the rest of the components and performs a more thorough analysis, we can only hope that this new Duqu variant won’t cause too much damage.
On the bright side, it’s clear that the attempt to avoid antivirus detection has failed, which means that users and companies should be safe as long they follow best security practices.
We’ll return with more information on this topic as soon as it becomes available.
Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile.