Duqu detection kit released

Share this article:
The Laboratory of Cryptography and System Security (CrySyS), the Budapest, Hungary-based research lab responsible for detecting the Duqu trojan, has released an open source detector toolkit to assist in finding traces of the trojan on a computer or in a whole network.

According to release notes for the Duqu Detector Toolkit v1.01 on the CrySyS website, the package contains signature- and heuristics-based methods capable of discovering traces of infections where pieces of the malware have already been removed from the system.

The kit, they say, contains simple, easy-to-analyze source code that looks for anomalies (e.g., suspicious files) and known indicators of the presence of Duqu on analyzed computers. However, the researchers warn that professional personnel are needed to analyze the log files to weed out false positives.

Critical infrastructures can also be examined using the toolkit, an important strategy as Duqu bears a striking resemblance to Stuxnet, a computer worm discovered in June 2010, that targeted Siemens industrial software resulting in the crippling of nuclear facilities in Iran.

Symantec researchers examined two variants of Duqu. Once on a machine, the strains download a remote access tool, which allows the malware to take control of the computer and begin communication with a command-and-control hub. In the case of one of the variants studied, it installed an "Infostealer" trojan, designed to record keystrokes and map networks.

The exploit code, according to McAfee researchers Guilherme Venere and Peter Szor, mimics Stuxnet in its encryption keys and drivers. Like Stuxnet, the threat uses a driver file signed with a legitimate digital certificate, in this case issued by Taiwan-based C-Media Electronics, according to F-Secure.

In its analysis of Duqu, CrySyS detected a dropper file with an MS 0-day kernel exploit inside. A computer could be infected with Duqu if a person was duped into opening a Microsoft Word document tainted with the worm sent via email. The flaw is in Windows' Win32k TrueType font parsing engine. Microsoft has subsequently issued a temporary fix for a vulnerability in the Windows kernel used to spread Duqu. However, as of its last Patch Tuesday release earlier this week, still has not issued a permanent fix for the flaw linked to the Duqu trojan.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

FBI to open Malware Investigator portal to security researchers

The portal is a virus analysis tool that examines suspicious files and shares information about them.

Android bug allowing SOP bypass farther reaching than initially thought

Researchers found that 42 out of the top 100 apps in the Google Play store with 'browser' in their names were vulnerable.

SUPERVALU and AB Acquisition LLC report being breached again

SUPERVALU and AB Acquisition LLC report being breached ...

The breaches involved different malware and both companies are investigating whether payment card information was stolen.