Open Source Tool Scans For Duqu Drivers

wiredmikey writes "A new open source scanning tool has been released by engineers at independent security testing firm NSS Labs that can be used to detect Duqu drivers installed on a system. The tool was developed with the goal of discovering any additional drivers, and to enable researchers to learn more about the functionality, capabilities and ultimate purpose of the Duqu malware."

Re:

[justcauseisjustthat]

non-diverse corporate systems are the easiest to attack, right behind Windows

Windows virus detector in python?

[lpt1]

I like the effort, and appreciate the tool, but how many windows users have python installed? ;>

Re:

[lennier1]

That will probably be addressed at a later point.
Turning Python source into an executable isn't exactly rocket science.

Re:

[ardeez]

Yup, loose indentation is a real problem in Python.

Re:

[jrumney]

Yup, loose indentation is a real problem of Python.

FTFY

Re:

[Anonymous Coward]

Indentation should not be a requirement of a programming language. It should be there only for readability purposes. So yes this is a failure of python.

Re:

[kiddygrinder]

should? nice argument.

Then one has to ask why they didn't address it

[Sycraft-fu]

The GP is correct: Python is not common on Windows systems, particularly desktops. Means most users can't grab the tool and use it, which is really what you want. The more steps required for a tool to be used, the less likely people are to use it.

Re:

[lennier1]

Exactly!

Weren't there plans for the gpodder client to switch to this one as well (instead of creating the package manually)?

Re:

[r00t]

I like the effort, and appreciate the tool

You'd rather these adversaries fight with regular weapons???? (rifles, air dropped bombs, car bombs, silenced pistols, choke cords, polonium tea, cruise missiles, tanks, nuclear devices...)

I don't like the effort, and I don't appreciate the tool. I'm sure Mohamed Saher would like us to help out with his tool, but no thanks. Some countries sorely need to get pwned, and I applaud all efforts to do so.

Re:

[sgt scrub]

They were even nice enough to import os and use os.path.join so it would be cross platform. These guys know something the rest of us don't?

Re:

[twrake]

To install python on windows

http://python.org/ftp/python/3.2.2/python-3.2.2.msi [python.org]

My problem is that the .py file seems to be coded as HTML. Perhaps it is just that darn time change...

Re:

[twrake]

Stupid!I downloaded the page with source code encoded.I need more caffine.

Please stop helping Iran and friends

[r00t]

Look, whoever is doing this...

1. is doing good

2. probably will resort to bombs, cruise missiles, and/or sneaky poisoning if this doesn't work

Re:

[Mr. Freeman]

You idiot. This has nothing to do with stuxnet. Yes, it's very similar in how it works, but it serves a completely different purpose. Duqu isn't targeting Iran or any industrial/commercial automation and control systems. I determined this information from 10 seconds of research through wikipedia. Seriously, look stuff up before blindly commenting on it.

Re:

[r00t]

It's thought to be the same team, this time gathering the needed info for stuxnet version 2. Instead of attacking SCADA, Duqu researches SCADA systems. It's getting passwords, certificates, and other goodies needed to make stuxnet version 2 a huge success.

Re:

[Charliemopps]

until they decide to use the technology on us. Then it will be bad. At least we don't have to worry about them assassinating a US citizen right?

Gimp for Windows has Python

[Anonymous Coward]

If you have Gimp installed on a windows system, it has a Python executable in its Python directory. Gimp uses Python for its plugins

Re:

[Mojo66]

On UNIX, if Python would come bundled with GIMP, it would be installed in /usr/bin and thus available to all applications, whereas on ingenious Windows, the default install location would be somewhere in \Program Files\ where it never gets picked up by anything.

Re:

[gd2shoe]

It doesn't have a whole lot of free (or inexpensive) software more powerful than GIMP. (It does have moderate and very expensive software that is much better than GIMP.) Now the cheep software available does tend to have a much cleaner/easier user interface than GIMP...

Re:

[gmhowell]

Even the most computer illiterate person knows how to get a copy of Photoshop and a serial number on their Windows machine. This is not 'Free' as in speech software, but 'Free' as in beer. Which is really all that most people care about.

Ultimate purpose of Duqu

[Hank the Lion]

In Suriname / Dutch slang, "doekoe" (pronounced as "duku") means money.
So, what would be the ultimate purpose of "Duqu"?
To make heaps of money with it!

Re:

[Splenetiatist]

It was named by researchers after the files it creates , which are prefixed "~DQ".

Re:

[Tomato42]

One doesn't exclude the other. Informative none the less.

Re:

[InlawBiker]

Because its professionally written from a Stuxnet base, uses a signed driver, a new 0-day in MS Word, takes screen shots and key logs and also completely removes itself in 30-some days... It's probably a government spy program. My guess.

Re:

[lennier]

...a new 0-day in MS Word.../quote>

That right there is the main problem here.

Why, ten years after Microsoft announced that they were "focusing on security", is commercial software from any vendor still allowed to be shipped with 0-days embedded? These things can be found with rigorous enough testing (ie, what criminal gangs are able to afford). Why then is it not a criminal offence for a company to sell software without having done this amount of testing? They are aiding and abetting criminal enterprise by allowing these security holes to exist in software they wrote.

This isn't a game any more. It's time to get real about software security on the Internet, or get out of the industry. Stop shipping native code if you can't guarantee that you can write it 100% correctly every time. It doesn't matter how fast your word processor runs if it gets your customers pwned.

Not much of a virus

[jamesh]

Seriously... what sort of a virus/trojan/worm makes its presence known by leaving the driver files around for any old userspace app to peruse???

Every time I come across a virus I am kind of disappointed at how easy they are to detect. They hook this and that, but then go and kill your antivirus software - a dead giveaway. That wouldn't trip up most home users, but then the malware also makes so many TCP connections that internet browsing doesn't work anymore, which means the user either wipes it and reinsta

Re:

[da8add1e]

yeh it's called windows :P

Re:

[Splenetiatist]

Every time I come across a virus I am kind of disappointed at how easy they are to detect.

You're disappointed by badly written viruses?

Re:

[dragonturtle69]

OTOH... maybe the perfect virus does exist and it's everywhere but nobody knows they have it...

It is the process that appears to do nothing that is a real concern.

Re:

[Johann Lau]

"Every time I come across a virus I am kind of disappointed at how easy they are to detect"

maybe that's because you only come across those that are detectable by your tools? ^^

Re:

[jamesh]

"Every time I come across a virus I am kind of disappointed at how easy they are to detect"

maybe that's because you only come across those that are detectable by your tools? ^^

You stopped reading before the last line?

Re:

[Johann Lau]

why did that last line not make you realize the pointlessness of your post?

are you "coming across" viruses by any other ways of them killing tools? if not, why would it surprise you that you only come across such blatant viruses? the other way I guess would be a warning from the AV before anything gets executed... does that disappoint you, too? the virus has a choice -- turn off the AV before it gets updated, and risk the user noticing (and do you really think everybody does? oh we all wish they would, but

Re:

[Almost-Retired]

I did the copy/paste myself, from that web page and it sucks to have to fix all the gawddamned tabs the html engine or the copy paste inserts needlessly. Where the hell is the download button?

But I did it, good enough that it runs, but its done instantly, so I guess I try my hand at editing a real python file to put in some prints and see what is null, it pays no attention to what would be argc[2].
If anyone has a clue what this line is supposed to do on a linux box, speak up, python total new bee here.

Re:

[Bodhammer]

python.exe DuquDriverPatterns.py c:

Re:

[Almost-Retired]

That is obviously for winderz, this is linux. I finally hardcoded the script for /, but that is too wide a brush and eventually reset the system, probably out of ram, only 4Gb in this box.

Thanks & Cheers, Gene

CrySyS duqu detector toolkit

[boldi]

CrySys Lab released a new open-source toolkit to detect duqu traces (possibly some file left after duqu uninstalled itself after 30-36 days) and running Duqu instances.
  http://www.crysys.hu/duqudetector/
Our tool combines heurestic and signature based approach, e.g. it calculates entropy for .PNF files and reports those suspiciously random ones.