Duqu Teardown: Espionage MalwareSymantec's Gavin O'Gorman Details Duqu Investigation
For security firm Symantec, the investigation into the Duqu 2 - a.k.a. Duqu.B - espionage malware began May 29. That's when security vendor Kaspersky Lab contacted the company with an urgent warning, saying that attackers had infiltrated and infected Kaspersky's networks with the advanced espionage malware, and asking Symantec and CrySys Labs in Hungary to verify its results (see Duqu 2.0 Espionage Malware Discovered).
"In this case, I think it was particularly serious, because obviously if Kaspersky had been compromised by these attackers, then there was a concern that other security vendors would have been compromised as well," says Gavin O'Gorman, principal intelligence analyst at Symantec. "Attacking a security company - and what clearly is a nation-state attacker going after a private security company that is meant to be protecting customers and so on - is quite galling."
In an interview recorded with Information Security Media Group, O'Gorman details:
- The findings to date of the Duqu 2 investigation;
- Attackers' use of a zero-day vulnerability;
- How attackers will likely vary their infiltration techniques with Duqu 3.
O'Gorman is a Dublin-based principal intelligence analyst at Symantec, where he's tasked with investigating and profiling both corporate and government espionage attackers who target Symantec customers, as well liaising with other researchers and law enforcement agencies for investigating online crime. He previously worked in a number of threat intelligence, software development and architecture, and systems administration roles at various organizations.