A new scanning tool has been released by engineers at independent security testing firm NSS Labs that can be used to detect Duqu drivers installed on a system. The tool was developed with the goal of discovering any additional drivers and enable researchers to learn more about the functionality, capabilities and ultimate purpose of the Duqu malware.
“Based on layout of the drivers discovered so far, the NSS tool is capable of detecting 100% of drivers with zero false positives,” the company wrote in a statement on Friday. “Because it is using advanced pattern recognition techniques, it is also capable of detecting new drivers as they are discovered. Two new drivers were discovered after the tool was completed, and both were detected by the NSS tool with no updates required.”
“We hope the research community can use this tool to discover new drivers and would ask that any samples be provided to NSS researchers (anonymously if preferred) in order to aid us in understanding more about the threat posed by Duqu,” they added.
The company also shared some additional discoveries and insights from its researchers during its analysis:
• It is premature to describe Duqu as “Stuxnet 2.”
• The Duqu infrastructure is still active despite the deactivation of the CC server; new drivers have been discovered after the original CC server was deactivated, indicating that a second CC network is currently active.
• Duqu is the first known modular plugin rootkit.
• While the Duqu code is simple, the fault-tolerant architecture is impressive; the writers anticipated discovery and deactivation of the CC network and planned for it. Alternative infection and control methods have been incorporated, and the modular nature allows for expansion and the addition of new functionality at a later date.
• The techniques used for concealing data for exfiltration are good. NSS has developed additional tools to aid in detecting these files.
• Given the complexity of the system (solid driver code plus impressive system architecture) it is not possible for this to have been written by a single person, nor by a team of part-time amateurs. The implication is that, given the requirement for multiple man-years of effort, that this has been produced by a disciplined, well-funded team of competent coders.
• It is too early to attribute authorship.
• Many researchers are claiming definitively that the Duqu authors had access to the original Stuxnet source code. This has not been proven. It is possible for anyone to reverse engineer the original Stuxnet code to the point where it can be modified and recompiled.
• There is no possible explanation for the production of such a sophisticated and elegant system merely to steal the information that has been targeted so far. Why go to all this trouble to deploy a simple key-logger? Given that there are additional drivers waiting to be discovered, we can liken Duqu to a sophisticated rocket launcher – we have yet to see the real ammunition appear.
• The ultimate target is something far more valuable than personal information or credit card numbers. It is not likely that this has been developed with simple mercenary intentions – the target is much higher level.
• What we have seen so far is merely the first stage in a multi-stage attack - we have not heard the last of Duqu.
Earlier this week it was revealed that the attackers behind Duqu used a Microsoft Windows zero-day as part of their attack campaign. On Thursday Microsoft released a workaround to address the zero-day bug while it continues to work on a permanent fix.
In addition to announcing the scanning tool, NSS Labs said it would make its IDA Pro databases available and complete reversed code for Duqu to bona fide researchers who are interested in performing their own analysis of the code, scripts and dropped files. The scanning tool can be downloaded here.