DUQU Remote Admin Trojan (RAT)

Duqu is, basically, a RAT (Remote Admin Trojan) that once introduced in a system, functions as a downloader for other trojans. It consists of a Driver, a DLL and a configuration file. These files are installed by another executable that, as yet, has not been identified. This installer registers the driver as a service that must be executed during system startup. Once executed, the driver injects the DLL into the process services.exe and if the injection is made correctly, the DLL extracts other components that are themselves then injected into other processes.

It also waits 15 minutes before activating, once it arrives on a new machine (probably to avoid being detected in a sandbox). It is designed to automatically remove itself after 36 days.

PRICE: $150


A Summary of Behaviour

The malware opens a back-door in the infected system which allows the attackers to obtain the following information from the compromised system:
A list of the processes currently executing, the details of the user’s account and domain information.
Names of the drives and related information, such as shared drives.
Screen captures.
Network information (routing tables, shared objects etc.).
Key strokes (Keylogger).
Names of all open windows.
A list of shared resources.
Exploration of files in all drives, including removable drives.
List of all machines in the domain (through NetServerEnum)
Name of the current module, PID, session ID, Windows directory, Temp directory.
Operating System version, including if it is 64-bit or not.
Information about network adapters.
Information about local time, including the time zone.

Finally, the malware sends all the extracted information in encrypted form to a predetermined control panel (206.183.111.97), at the same time allowing the download of more malicious content from the control panel.