General Information

According to the report presented by Symantec, this trojan was detected for the first time on the 14th of October and later, on the 7th of September they found samples of the driver uploaded to VirusTotal.

According to Symantec, this could herald an attack similar to Stuxnet, written by the authors themselves or at least by programmers with access to the source code. However, this Trojan contains code related to industrial control systems.

The main objective of this new threat is to get information about ICS (industrial control systems) manufacturing companies, to help prepare for a subsequent attack against another company.
Duqu is, basically, a RAT (Remote Admin Trojan) that once introduced in a system, functions as a downloader for other trojans. It consists of a Driver, a DLL and a configuration file. These files are installed by another executable that, as yet, has not been identified. This installer registers the driver as a service that must be executed during system startup. Once executed, the driver injects the DLL into the process services.exe and if the injection is made correctly, the DLL extracts other components that are themselves then injected into other processes.

Duqu uses a valid digital certificate that was revoked on the 14th of October. It also waits 15 minutes before activating, once it arrives on a new machine (probably to avoid being detected in a sandbox). It is designed to automatically remove itself after 36 days.
McAfee’s theory is different. They argue that Duqu is being used to steal certificates from CAs in Europe, Africa and Asia, to afterwards be used for signing malicious code.
A Summary of Behaviour

The malware opens a back-door in the infected system which allows the attackers to obtain the following information from the compromised system:
  • A list of the processes currently executing, the details of the user’s account and domain information.
  • Names of the drives and related information, such as shared drives.
  • Screen captures.
  • Network information (routing tables, shared objects etc.).
  • Key strokes (Keylogger).
  • Names of all open windows.
  • A list of shared resources.
  • Exploration of files in all drives, including removable drives.
  • List of all machines in the domain (through NetServerEnum)
  • Name of the current module, PID, session ID, Windows directory, Temp directory.
  • Operating System version, including if it is 64-bit or not.
  • Information about network adapters.
  • Information about local time, including the time zone.
Finally, the malware sends all the extracted information in encrypted form to a predetermined control panel (, at the same time allowing the download of more malicious content from the control panel.

Possible clues for detection

Network traffic

Duqu uses the HTTP and HTTPS protocols to communicate with the control panel (C&C) found at the IP This server is located in India, and has been disabled by the ISP (Web Werks WEBWRKS-PHLA1).

Communications within the range of IP addresses 206.53.48-61.* have been reported. It is highly recommended that communication device logs are reviewed for communications with this IP or any IP within the indicated range.
Detection on infected machines

Symantec has provided the following hashes and file names that have been identified as part of the threat.






Principal DLL



Configuration File



Configuration File



Principal DLL












Duqu drivers have also been detected using the following file names which were not included in the Symantec report:

The driver load is performed by adding some of the following keys to the Windows registry:
HKEY _ LOCAL _ MACHINESYSTEMCurrentControlSetServicesJmiNET3
The detection of these entries in the registry of a Windows system is a clear indication that the machine is infected by Duqu.
S21sec e-crime team