Open Source Tool Scans For Duqu Drivers 64
wiredmikey writes "A new open source scanning tool has been released by engineers at independent security testing firm NSS Labs that can be used to detect Duqu drivers installed on a system. The tool was developed with the goal of discovering any additional drivers, and to enable researchers to learn more about the functionality, capabilities and ultimate purpose of the Duqu malware."
Re: (Score:1)
Windows virus detector in python? (Score:4, Informative)
I like the effort, and appreciate the tool, but how many windows users have python installed? ;>
Re: (Score:2)
That will probably be addressed at a later point.
Turning Python source into an executable isn't exactly rocket science.
Re: (Score:1)
Yup, loose indentation is a real problem in Python.
Re: (Score:2)
FTFY
Re: (Score:1)
Indentation should not be a requirement of a programming language. It should be there only for readability purposes. So yes this is a failure of python.
Re: (Score:2)
Then one has to ask why they didn't address it (Score:2)
The GP is correct: Python is not common on Windows systems, particularly desktops. Means most users can't grab the tool and use it, which is really what you want. The more steps required for a tool to be used, the less likely people are to use it.
Re: (Score:2)
Exactly!
Weren't there plans for the gpodder client to switch to this one as well (instead of creating the package manually)?
Re: (Score:1)
I like the effort, and appreciate the tool
You'd rather these adversaries fight with regular weapons???? (rifles, air dropped bombs, car bombs, silenced pistols, choke cords, polonium tea, cruise missiles, tanks, nuclear devices...)
I don't like the effort, and I don't appreciate the tool. I'm sure Mohamed Saher would like us to help out with his tool, but no thanks. Some countries sorely need to get pwned, and I applaud all efforts to do so.
Re: (Score:2)
They were even nice enough to import os and use os.path.join so it would be cross platform. These guys know something the rest of us don't?
Re: (Score:1)
To install python on windows
http://python.org/ftp/python/3.2.2/python-3.2.2.msi [python.org]
My problem is that the .py file seems to be coded as HTML. Perhaps it is just that darn time change...
Re: (Score:1)
Stupid!I downloaded the page with source code encoded.I need more caffine.
Please stop helping Iran and friends (Score:1)
Look, whoever is doing this...
1. is doing good
2. probably will resort to bombs, cruise missiles, and/or sneaky poisoning if this doesn't work
Re: (Score:3)
Re: (Score:2)
It's thought to be the same team, this time gathering the needed info for stuxnet version 2. Instead of attacking SCADA, Duqu researches SCADA systems. It's getting passwords, certificates, and other goodies needed to make stuxnet version 2 a huge success.
Re: (Score:3)
Gimp for Windows has Python (Score:1)
If you have Gimp installed on a windows system, it has a Python executable in its Python directory. Gimp uses Python for its plugins
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Even the most computer illiterate person knows how to get a copy of Photoshop and a serial number on their Windows machine. This is not 'Free' as in speech software, but 'Free' as in beer. Which is really all that most people care about.
Ultimate purpose of Duqu (Score:2)
In Suriname / Dutch slang, "doekoe" (pronounced as "duku") means money.
So, what would be the ultimate purpose of "Duqu"?
To make heaps of money with it!
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Because its professionally written from a Stuxnet base, uses a signed driver, a new 0-day in MS Word, takes screen shots and key logs and also completely removes itself in 30-some days... It's probably a government spy program. My guess.
Re: (Score:2)
...a new 0-day in MS Word.../quote>
That right there is the main problem here.
Why, ten years after Microsoft announced that they were "focusing on security", is commercial software from any vendor still allowed to be shipped with 0-days embedded? These things can be found with rigorous enough testing (ie, what criminal gangs are able to afford). Why then is it not a criminal offence for a company to sell software without having done this amount of testing? They are aiding and abetting criminal enterprise by allowing these security holes to exist in software they wrote.
This isn't a game any more. It's time to get real about software security on the Internet, or get out of the industry. Stop shipping native code if you can't guarantee that you can write it 100% correctly every time. It doesn't matter how fast your word processor runs if it gets your customers pwned.
Not much of a virus (Score:2)
Seriously... what sort of a virus/trojan/worm makes its presence known by leaving the driver files around for any old userspace app to peruse???
Every time I come across a virus I am kind of disappointed at how easy they are to detect. They hook this and that, but then go and kill your antivirus software - a dead giveaway. That wouldn't trip up most home users, but then the malware also makes so many TCP connections that internet browsing doesn't work anymore, which means the user either wipes it and reinsta
Re: (Score:1)
Re: (Score:1)
Every time I come across a virus I am kind of disappointed at how easy they are to detect.
You're disappointed by badly written viruses?
Re: (Score:2)
OTOH... maybe the perfect virus does exist and it's everywhere but nobody knows they have it...
It is the process that appears to do nothing that is a real concern.
Re: (Score:2)
"Every time I come across a virus I am kind of disappointed at how easy they are to detect"
maybe that's because you only come across those that are detectable by your tools? ^^
Re: (Score:2)
"Every time I come across a virus I am kind of disappointed at how easy they are to detect"
maybe that's because you only come across those that are detectable by your tools? ^^
You stopped reading before the last line?
Re: (Score:2)
why did that last line not make you realize the pointlessness of your post?
are you "coming across" viruses by any other ways of them killing tools? if not, why would it surprise you that you only come across such blatant viruses? the other way I guess would be a warning from the AV before anything gets executed... does that disappoint you, too? the virus has a choice -- turn off the AV before it gets updated, and risk the user noticing (and do you really think everybody does? oh we all wish they would, but
Re: (Score:2)
But I did it, good enough that it runs, but its done instantly, so I guess I try my hand at editing a real python file to put in some prints and see what is null, it pays no attention to what would be argc[2].
If anyone has a clue what this line is supposed to do on a linux box, speak up, python total new bee here.
Re: (Score:2)
Re: (Score:2)
Thanks & Cheers, Gene
CrySyS duqu detector toolkit (Score:2)
CrySys Lab released a new open-source toolkit to detect duqu traces (possibly some file left after duqu uninstalled itself after 30-36 days) and running Duqu instances. .PNF files and reports those suspiciously random ones.
http://www.crysys.hu/duqudetector/
Our tool combines heurestic and signature based approach, e.g. it calculates entropy for