Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New Open Source Tool Scans for Duqu Drivers

A new scanning tool has been released by engineers at independent security testing firm NSS Labs that can be used to detect Duqu drivers installed on a system.

A new scanning tool has been released by engineers at independent security testing firm NSS Labs that can be used to detect Duqu drivers installed on a system. The tool was developed with the goal of discovering any additional drivers and enable researchers to learn more about the functionality, capabilities and ultimate purpose of the Duqu malware.

“Based on layout of the drivers discovered so far, the NSS tool is capable of detecting 100% of drivers with zero false positives,” the company wrote in a statement on Friday. “Because it is using advanced pattern recognition techniques, it is also capable of detecting new drivers as they are discovered. Two new drivers were discovered after the tool was completed, and both were detected by the NSS tool with no updates required.”

“We hope the research community can use this tool to discover new drivers and would ask that any samples be provided to NSS researchers (anonymously if preferred) in order to aid us in understanding more about the threat posed by Duqu,” they added.

Watch the On Demand Webcast: “Duqu- Precursor to the Next Stuxnet,” Presented by Symantec

The company also shared some additional discoveries and insights from its researchers during its analysis:

• It is premature to describe Duqu as “Stuxnet 2.”

• The Duqu infrastructure is still active despite the deactivation of the CC server; new drivers have been discovered after the original CC server was deactivated, indicating that a second CC network is currently active.

• Duqu is the first known modular plugin rootkit.

• While the Duqu code is simple, the fault-tolerant architecture is impressive; the writers anticipated discovery and deactivation of the CC network and planned for it. Alternative infection and control methods have been incorporated, and the modular nature allows for expansion and the addition of new functionality at a later date.

• The techniques used for concealing data for exfiltration are good. NSS has developed additional tools to aid in detecting these files.

• Given the complexity of the system (solid driver code plus impressive system architecture) it is not possible for this to have been written by a single person, nor by a team of part-time amateurs. The implication is that, given the requirement for multiple man-years of effort, that this has been produced by a disciplined, well-funded team of competent coders.

• It is too early to attribute authorship.

• Many researchers are claiming definitively that the Duqu authors had access to the original Stuxnet source code. This has not been proven. It is possible for anyone to reverse engineer the original Stuxnet code to the point where it can be modified and recompiled.

• There is no possible explanation for the production of such a sophisticated and elegant system merely to steal the information that has been targeted so far. Why go to all this trouble to deploy a simple key-logger? Given that there are additional drivers waiting to be discovered, we can liken Duqu to a sophisticated rocket launcher – we have yet to see the real ammunition appear.

• The ultimate target is something far more valuable than personal information or credit card numbers. It is not likely that this has been developed with simple mercenary intentions – the target is much higher level.

• What we have seen so far is merely the first stage in a multi-stage attack – we have not heard the last of Duqu.

Earlier this week it was revealed that the attackers behind Duqu used a Microsoft Windows zero-day as part of their attack campaign. On Thursday Microsoft released a workaround to address the zero-day bug while it continues to work on a permanent fix.

In addition to announcing the scanning tool, NSS Labs said it would make its IDA Pro databases available and complete reversed code for Duqu to bona fide researchers who are interested in performing their own analysis of the code, scripts and dropped files. The scanning tool can be downloaded here.

Watch the On Demand Webcast: “Duqu- Precursor to the Next Stuxnet,” Presented by Symantec

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.