Duqu detection kit released

Share this article:
The Laboratory of Cryptography and System Security (CrySyS), the Budapest, Hungary-based research lab responsible for detecting the Duqu trojan, has released an open source detector toolkit to assist in finding traces of the trojan on a computer or in a whole network.

According to release notes for the Duqu Detector Toolkit v1.01 on the CrySyS website, the package contains signature- and heuristics-based methods capable of discovering traces of infections where pieces of the malware have already been removed from the system.

The kit, they say, contains simple, easy-to-analyze source code that looks for anomalies (e.g., suspicious files) and known indicators of the presence of Duqu on analyzed computers. However, the researchers warn that professional personnel are needed to analyze the log files to weed out false positives.

Critical infrastructures can also be examined using the toolkit, an important strategy as Duqu bears a striking resemblance to Stuxnet, a computer worm discovered in June 2010, that targeted Siemens industrial software resulting in the crippling of nuclear facilities in Iran.

Symantec researchers examined two variants of Duqu. Once on a machine, the strains download a remote access tool, which allows the malware to take control of the computer and begin communication with a command-and-control hub. In the case of one of the variants studied, it installed an "Infostealer" trojan, designed to record keystrokes and map networks.

The exploit code, according to McAfee researchers Guilherme Venere and Peter Szor, mimics Stuxnet in its encryption keys and drivers. Like Stuxnet, the threat uses a driver file signed with a legitimate digital certificate, in this case issued by Taiwan-based C-Media Electronics, according to F-Secure.

In its analysis of Duqu, CrySyS detected a dropper file with an MS 0-day kernel exploit inside. A computer could be infected with Duqu if a person was duped into opening a Microsoft Word document tainted with the worm sent via email. The flaw is in Windows' Win32k TrueType font parsing engine. Microsoft has subsequently issued a temporary fix for a vulnerability in the Windows kernel used to spread Duqu. However, as of its last Patch Tuesday release earlier this week, still has not issued a permanent fix for the flaw linked to the Duqu trojan.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.