Forgot your password?
typodupeerror
Security Open Source Windows News IT

Open Source Tool Scans For Duqu Drivers 64

Posted by timothy
from the my-system-is-duqu-free dept.
wiredmikey writes "A new open source scanning tool has been released by engineers at independent security testing firm NSS Labs that can be used to detect Duqu drivers installed on a system. The tool was developed with the goal of discovering any additional drivers, and to enable researchers to learn more about the functionality, capabilities and ultimate purpose of the Duqu malware."
This discussion has been archived. No new comments can be posted.

Open Source Tool Scans For Duqu Drivers

Comments Filter:
  • by lpt1 (46613) on Sunday November 06, 2011 @03:35AM (#37963940)

    I like the effort, and appreciate the tool, but how many windows users have python installed? ;>

    • by lennier1 (264730)

      That will probably be addressed at a later point.
      Turning Python source into an executable isn't exactly rocket science.

      • The GP is correct: Python is not common on Windows systems, particularly desktops. Means most users can't grab the tool and use it, which is really what you want. The more steps required for a tool to be used, the less likely people are to use it.

    • by r00t (33219)

      I like the effort, and appreciate the tool

      You'd rather these adversaries fight with regular weapons???? (rifles, air dropped bombs, car bombs, silenced pistols, choke cords, polonium tea, cruise missiles, tanks, nuclear devices...)

      I don't like the effort, and I don't appreciate the tool. I'm sure Mohamed Saher would like us to help out with his tool, but no thanks. Some countries sorely need to get pwned, and I applaud all efforts to do so.

    • by sgt scrub (869860)

      They were even nice enough to import os and use os.path.join so it would be cross platform. These guys know something the rest of us don't?

    • by twrake (168507)

      To install python on windows

      http://python.org/ftp/python/3.2.2/python-3.2.2.msi [python.org]

      My problem is that the .py file seems to be coded as HTML. Perhaps it is just that darn time change...

      • by twrake (168507)

        Stupid!I downloaded the page with source code encoded.I need more caffine.

  • Look, whoever is doing this...

    1. is doing good

    2. probably will resort to bombs, cruise missiles, and/or sneaky poisoning if this doesn't work

    • You idiot. This has nothing to do with stuxnet. Yes, it's very similar in how it works, but it serves a completely different purpose. Duqu isn't targeting Iran or any industrial/commercial automation and control systems. I determined this information from 10 seconds of research through wikipedia. Seriously, look stuff up before blindly commenting on it.
      • by r00t (33219)

        It's thought to be the same team, this time gathering the needed info for stuxnet version 2. Instead of attacking SCADA, Duqu researches SCADA systems. It's getting passwords, certificates, and other goodies needed to make stuxnet version 2 a huge success.

    • until they decide to use the technology on us. Then it will be bad. At least we don't have to worry about them assassinating a US citizen right?
  • by Anonymous Coward

    If you have Gimp installed on a windows system, it has a Python executable in its Python directory. Gimp uses Python for its plugins

    • by Mojo66 (1131579)
      On UNIX, if Python would come bundled with GIMP, it would be installed in /usr/bin and thus available to all applications, whereas on ingenious Windows, the default install location would be somewhere in \Program Files\ where it never gets picked up by anything.
  • In Suriname / Dutch slang, "doekoe" (pronounced as "duku") means money.
    So, what would be the ultimate purpose of "Duqu"?
    To make heaps of money with it!

    • It was named by researchers after the files it creates , which are prefixed "~DQ".
    • Because its professionally written from a Stuxnet base, uses a signed driver, a new 0-day in MS Word, takes screen shots and key logs and also completely removes itself in 30-some days... It's probably a government spy program. My guess.

      • by lennier (44736)

        ...a new 0-day in MS Word.../quote>

        That right there is the main problem here.

        Why, ten years after Microsoft announced that they were "focusing on security", is commercial software from any vendor still allowed to be shipped with 0-days embedded? These things can be found with rigorous enough testing (ie, what criminal gangs are able to afford). Why then is it not a criminal offence for a company to sell software without having done this amount of testing? They are aiding and abetting criminal enterprise by allowing these security holes to exist in software they wrote.

        This isn't a game any more. It's time to get real about software security on the Internet, or get out of the industry. Stop shipping native code if you can't guarantee that you can write it 100% correctly every time. It doesn't matter how fast your word processor runs if it gets your customers pwned.

  • Seriously... what sort of a virus/trojan/worm makes its presence known by leaving the driver files around for any old userspace app to peruse???

    Every time I come across a virus I am kind of disappointed at how easy they are to detect. They hook this and that, but then go and kill your antivirus software - a dead giveaway. That wouldn't trip up most home users, but then the malware also makes so many TCP connections that internet browsing doesn't work anymore, which means the user either wipes it and reinsta

    • by da8add1e (1244554)
      yeh it's called windows :P
    • Every time I come across a virus I am kind of disappointed at how easy they are to detect.

      You're disappointed by badly written viruses?

    • OTOH... maybe the perfect virus does exist and it's everywhere but nobody knows they have it...

      It is the process that appears to do nothing that is a real concern.

    • "Every time I come across a virus I am kind of disappointed at how easy they are to detect"

      maybe that's because you only come across those that are detectable by your tools? ^^

      • by jamesh (87723)

        "Every time I come across a virus I am kind of disappointed at how easy they are to detect"

        maybe that's because you only come across those that are detectable by your tools? ^^

        You stopped reading before the last line?

        • why did that last line not make you realize the pointlessness of your post?

          are you "coming across" viruses by any other ways of them killing tools? if not, why would it surprise you that you only come across such blatant viruses? the other way I guess would be a warning from the AV before anything gets executed... does that disappoint you, too? the virus has a choice -- turn off the AV before it gets updated, and risk the user noticing (and do you really think everybody does? oh we all wish they would, but

  • CrySys Lab released a new open-source toolkit to detect duqu traces (possibly some file left after duqu uninstalled itself after 30-36 days) and running Duqu instances.
      http://www.crysys.hu/duqudetector/
    Our tool combines heurestic and signature based approach, e.g. it calculates entropy for .PNF files and reports those suspiciously random ones.

No man is an island if he's on at least one mailing list.

Working...