Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Open Source Tool Scans for Duqu Drivers

A new scanning tool has been released by engineers at independent security testing firm NSS Labs that can be used to detect Duqu drivers installed on a system.

A new scanning tool has been released by engineers at independent security testing firm NSS Labs that can be used to detect Duqu drivers installed on a system. The tool was developed with the goal of discovering any additional drivers and enable researchers to learn more about the functionality, capabilities and ultimate purpose of the Duqu malware.

“Based on layout of the drivers discovered so far, the NSS tool is capable of detecting 100% of drivers with zero false positives,” the company wrote in a statement on Friday. “Because it is using advanced pattern recognition techniques, it is also capable of detecting new drivers as they are discovered. Two new drivers were discovered after the tool was completed, and both were detected by the NSS tool with no updates required.”

“We hope the research community can use this tool to discover new drivers and would ask that any samples be provided to NSS researchers (anonymously if preferred) in order to aid us in understanding more about the threat posed by Duqu,” they added.

Watch the On Demand Webcast: “Duqu- Precursor to the Next Stuxnet,” Presented by Symantec

The company also shared some additional discoveries and insights from its researchers during its analysis:

• It is premature to describe Duqu as “Stuxnet 2.”

• The Duqu infrastructure is still active despite the deactivation of the CC server; new drivers have been discovered after the original CC server was deactivated, indicating that a second CC network is currently active.

• Duqu is the first known modular plugin rootkit.

Advertisement. Scroll to continue reading.

• While the Duqu code is simple, the fault-tolerant architecture is impressive; the writers anticipated discovery and deactivation of the CC network and planned for it. Alternative infection and control methods have been incorporated, and the modular nature allows for expansion and the addition of new functionality at a later date.

• The techniques used for concealing data for exfiltration are good. NSS has developed additional tools to aid in detecting these files.

• Given the complexity of the system (solid driver code plus impressive system architecture) it is not possible for this to have been written by a single person, nor by a team of part-time amateurs. The implication is that, given the requirement for multiple man-years of effort, that this has been produced by a disciplined, well-funded team of competent coders.

• It is too early to attribute authorship.

• Many researchers are claiming definitively that the Duqu authors had access to the original Stuxnet source code. This has not been proven. It is possible for anyone to reverse engineer the original Stuxnet code to the point where it can be modified and recompiled.

• There is no possible explanation for the production of such a sophisticated and elegant system merely to steal the information that has been targeted so far. Why go to all this trouble to deploy a simple key-logger? Given that there are additional drivers waiting to be discovered, we can liken Duqu to a sophisticated rocket launcher – we have yet to see the real ammunition appear.

• The ultimate target is something far more valuable than personal information or credit card numbers. It is not likely that this has been developed with simple mercenary intentions – the target is much higher level.

• What we have seen so far is merely the first stage in a multi-stage attack – we have not heard the last of Duqu.

Earlier this week it was revealed that the attackers behind Duqu used a Microsoft Windows zero-day as part of their attack campaign. On Thursday Microsoft released a workaround to address the zero-day bug while it continues to work on a permanent fix.

In addition to announcing the scanning tool, NSS Labs said it would make its IDA Pro databases available and complete reversed code for Duqu to bona fide researchers who are interested in performing their own analysis of the code, scripts and dropped files. The scanning tool can be downloaded here.

Watch the On Demand Webcast: “Duqu- Precursor to the Next Stuxnet,” Presented by Symantec

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.