Alert out for new 'Stuxnet'-like threat

The security industry is on alert for a possible new threat similar to Stuxnet, a notorious computer worm that targets industrial systems. Security firm Trend Micro said the new threat, Duqu, has a payload that appears to be "inclined toward information theft." In a blog post, Trend Micro said Duqu has several components, including:

• The SYS file, detected as RTKT_DUQU.A, which activates the malware and triggers the execution of its other routines. It may also establish a connection with its C&C server.
• TROJ_SHADOW.AF, which checks if it matches any of the following security-related processes: avp.exe (Kaspersky) Mcshield.exe (McAfee) avguard.exe (Avira) bdagent.exe (Bitdefender) UmxCfg.exe (CA) fsdfwd.exe (F-Secure) rtvscan.exe and ccSvcHst.exe (Symantec) ekrn.exe (ESET) RavMonD.exe (Rising)

"If found, TROJ_SHADOW.AF launches the same process in a suspended state, then patches the malware code before resuming the execution. In effect, there will be two AV processes; the first being the original, and the second being the patched one," Trend Micro said. It added TROJ_SHADOW.AF requires command lines to execute properly. Available commands include:

• collecting information on the affected system
• terminating malware processes
• deleting itself.

The malware can steal a wide array of information on any affected system, such as:

• Drive information such as FreeSpace and Drive device name
• Screenshots
• Running Processes and Owner of Running Processes
• Network Information such as IP address, IP routing table, TCP and UDP table, DNS Cache table, Local Shares
• Local shared folders and connected users
• Removable drives serial number
• Window Names
• Information on open files on local computer using NetFileEnum

Trend Micro said its products have been updated to provide protections against this latest threat through updated signature. It also blocks access to malicious control servers with Web Reputation Services. — TJD, GMA News