The APT floodgates seem to have opened sometime in the past twelve months, Stuxnet is no longer alone in the field and the latest arrival is MiniDuke, a very sophisticated, if low-profile and minimalist piece of malware.
“We’re dealing, unfortunately, with the work of a very small group of career criminals – people who’ve written a lot of malware before MiniDuke and who are doing more with less.
To make a comparison, Flamer was obviously much more complex, probably the work of a big, competent, well-managed team, there were lots of resources poured into finding and using zero day exploits, it was an expensive e-threat to build, all in all. MiniDuke looks much more like a hacker project, it’s done on a shoestring budget” Marius Tivadar commented.
This comparative lack of resources has apparently imposed some odd design choices on the malware writers.
“The samples we have are all customized, polymorphized, there is an encrypted part which is specifically built for each target machine – but from what we can tell, there is no modularity, like we see with Flamer and Stuxnet. It seems to be all of a piece. It’s very old-school malware, although there are some very modern touches, like the use of Twitter and Google for command and control purposes” Marius said.
When asked to comment upon the possible origin of the malware, mr. Tivadar explained : “we have no leads so far, apart from the appearance of 666 in the code and the fact it was asking what time it is in China at one point. I wouldn’t venture a guess based on such flimsy evidence, frankly.”
Bitdefender has released a free removal tool: MiniDuke Removal Tool (5730 downloads) .
UPDATE: the removal tool has been itself updated, to deal with newly-discovered samples.