The Laboratory of Cryptography and System Security (CrySyS), the Budapest, Hungary-based research lab responsible for detecting the Duqu trojan, has released an open source detector toolkit to assist in finding traces of the trojan on a computer or in a whole network.
According to release notes for the Duqu Detector Toolkit v1.01 on the CrySyS website, the package contains signature- and heuristics-based methods capable of discovering traces of infections where pieces of the malware have already been removed from the system.
The kit, they say, contains simple, easy-to-analyze source code that looks for anomalies (e.g., suspicious files) and known indicators of the presence of Duqu on analyzed computers. However, the researchers warn that professional personnel are needed to analyze the log files to weed out false positives.
Critical infrastructures can also be examined using the toolkit, an important strategy as Duqu bears a striking resemblance to Stuxnet, a computer worm discovered in June 2010, that targeted Siemens industrial software resulting in the crippling of nuclear facilities in Iran.
Symantec researchers examined two variants of Duqu. Once on a machine, the strains download a remote access tool, which allows the malware to take control of the computer and begin communication with a command-and-control hub. In the case of one of the variants studied, it installed an “Infostealer” trojan, designed to record keystrokes and map networks.
The exploit code, according to McAfee researchers Guilherme Venere and Peter Szor, mimics Stuxnet in its encryption keys and drivers. Like Stuxnet, the threat uses a driver file signed with a legitimate digital certificate, in this case issued by Taiwan-based C-Media Electronics, according to F-Secure.
In its analysis of Duqu, CrySyS detected a dropper file with an MS 0-day kernel exploit inside. A computer could be infected with Duqu if a person was duped into opening a Microsoft Word document tainted with the worm sent via email. The flaw is in Windows’ Win32k TrueType font parsing engine. Microsoft has subsequently issued a temporary fix for a vulnerability in the Windows kernel used to spread Duqu. However, as of its last Patch Tuesday release earlier this week, still has not issued a permanent fix for the flaw linked to the Duqu trojan.