November 11, 2011

Duqu detection kit released

The Laboratory of Cryptography and System Security (CrySyS), the Budapest, Hungary-based research lab responsible for detecting the Duqu trojan, has released an open source detector toolkit to assist in finding traces of the trojan on a computer or in a whole network.

According to release notes for the Duqu Detector Toolkit v1.01 on the CrySyS website, the package contains signature- and heuristics-based methods capable of discovering traces of infections where pieces of the malware have already been removed from the system.

The kit, they say, contains simple, easy-to-analyze source code that looks for anomalies (e.g., suspicious files) and known indicators of the presence of Duqu on analyzed computers. However, the researchers warn that professional personnel are needed to analyze the log files to weed out false positives.

Critical infrastructures can also be examined using the toolkit, an important strategy as Duqu bears a striking resemblance to Stuxnet, a computer worm discovered in June 2010, that targeted Siemens industrial software resulting in the crippling of nuclear facilities in Iran.

Symantec researchers examined two variants of Duqu. Once on a machine, the strains download a remote access tool, which allows the malware to take control of the computer and begin communication with a command-and-control hub. In the case of one of the variants studied, it installed an "Infostealer" trojan, designed to record keystrokes and map networks.

The exploit code, according to McAfee researchers Guilherme Venere and Peter Szor, mimics Stuxnet in its encryption keys and drivers. Like Stuxnet, the threat uses a driver file signed with a legitimate digital certificate, in this case issued by Taiwan-based C-Media Electronics, according to F-Secure.

In its analysis of Duqu, CrySyS detected a dropper file with an MS 0-day kernel exploit inside. A computer could be infected with Duqu if a person was duped into opening a Microsoft Word document tainted with the worm sent via email. The flaw is in Windows' Win32k TrueType font parsing engine. Microsoft has subsequently issued a temporary fix for a vulnerability in the Windows kernel used to spread Duqu. However, as of its last Patch Tuesday release earlier this week, still has not issued a permanent fix for the flaw linked to the Duqu trojan.

Related Articles
Related Topics

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.