Duqu Open-Source Toolkit Part II

Monday, November 14, 2011 @ 08:11 PM gHale


One more open source toolkit hit the cyber street to detect if a network suffered an infection from Duqu. This kit comes from the lab credited with discovering the Duqu malware, the Laboratory of Cryptography and System Security (CrySys).

The Duqu Detector Toolkit v1.01 looks for suspicious files left by Duqu, which has created a buzz in the security community given its stealthy nature and some characteristics it shares with Stuxnet.

RELATED STORIES
Duqu from ‘Well-Funded Coders’
Duqu and Rumors of War
A New and Frightening Stuxnet
Stuxnet: A Chief Executive Plan
Iran Creating Counter to Stuxnet
Stuxnet Report V: Security Culture Needs Work

CrySys, part of Budapest University of Technology and Economics based in Hungary, wrote in its notes the toolkit, which is in four components, looks for strange files that mark an infection.

CrySys said the toolkit should detect a real active Duqu infection, but it is possible to get a false positive, so it cautioned administrators will need to analyze the results.

Forensic stand-alone tools such as the one CrySys developed are important since it will give Duqu victims a better image of how they suffered from an attack, said Costin Raiu, director of the global research and analysis team for Kaspersky Lab. Antivirus software does not give the same insight and focuses instead on detecting and blocking an attack.

“Of course, all of this can be done ‘manually,’ but these tools make it much easier to spot anomalies in Duqu-infected computers,” Raiu said.

The toolkit also has a component that could let victims figure out what data Duqu has stolen. Costin said stolen data ends up stored in files ending in “DQ” — hence the malware’s name — and in “DF.”

“I’m sure that any victim wants to know what was stolen from them,” Raiu said.

One other company released a detection tool for detecting Duqu. NSS Labs’ tool is a script looks for certain strings within drivers employed by Duqu.
http://www.isssource.com/scanner-can-detect-duqu/

Microsoft is in the process of creating a patch for the software vulnerability used by Duqu to infect computers. CrySys also discovered Duqu used a previously unknown Windows vulnerability to infect computers after examining an installer file.

A Duqu infection could occur if a person opens a malicious Microsoft Word document sent by email. The vulnerability is in Windows’ Win32k TrueType font parsing engine. Microsoft published a tool to temporarily block attacks until the patch is ready.



Leave a Reply

You must be logged in to post a comment.