0

Duqu Analysis and Detection Tool by NSS Labs



NSS Labs has built a new, free tool that detects known and newly created Duqu drivers that have infiltrated systems, thus allowing security experts to further analyze the “functionality, capabilities and ultimate purpose of DuQu.”. The Tool is available free.

Duqu is notorious worm that exploit Windows Zero-day Vulnerability. Microsoft released temporary fix yesterday for this vulnerability . According to the test, NSS tool Success rate is 100%, zero false positivies. Developers said it is using advanced pattern recognition techniques, it is also capable of detecting new drivers as they are discovered.Two new drivers were discovered after the tool was completed, and both were detected by the NSS tool with no updates required.

It seems that Duqu contains similar code and utilizes similar techniques to Stuxnet. More precisely, it seems to make use of digital certificates that appear as legitimate, but it's far too early to describe it as Stuxnet 2.
More Info :
  • DuQu contains similar code to that used by Stuxnet.
  • DuQu uses similar techniques to Stuxnet, specifically the use of drivers signed by “legitimate” digital certificates. It is not known whether those certs were stolen or manufactured by the attackers following the compromise of a certificate authority (CA.)
  • DuQu is not self-replicating (although some theorize that it can be commanded to replicate itself across network shares); it requires the use of an exploit-based “dropper” to install it on a system.
  • The installer, which utilized a zero day kernel exploit delivered via a Microsoft Word document, has now been recovered and is currently being analyzed.
  • DuQu installs a keylogger in order to record keystrokes and collect other system information.
  • Stolen information is packaged into encrypted and compressed image files for subsequent exfiltration.
  • DuQu was communicating over HTTP/HTTPS with its intial command and control (CC) server in India; a custom CC protocol was implemented using modified image files. As of this writing, the CC server has been deactivated.
  • DuQu was initially configured with a fixed life, set to deactivate after 36 days, although additional components can be installed to extend this as required.

Post a Comment

 
Top