Connect with us

Hi, what are you looking for?


Malware & Threats

New Open Source Tool Scans for Duqu Drivers

A new scanning tool has been released by engineers at independent security testing firm NSS Labs that can be used to detect Duqu drivers installed on a system.

A new scanning tool has been released by engineers at independent security testing firm NSS Labs that can be used to detect Duqu drivers installed on a system. The tool was developed with the goal of discovering any additional drivers and enable researchers to learn more about the functionality, capabilities and ultimate purpose of the Duqu malware.

“Based on layout of the drivers discovered so far, the NSS tool is capable of detecting 100% of drivers with zero false positives,” the company wrote in a statement on Friday. “Because it is using advanced pattern recognition techniques, it is also capable of detecting new drivers as they are discovered. Two new drivers were discovered after the tool was completed, and both were detected by the NSS tool with no updates required.”

“We hope the research community can use this tool to discover new drivers and would ask that any samples be provided to NSS researchers (anonymously if preferred) in order to aid us in understanding more about the threat posed by Duqu,” they added.

Watch the On Demand Webcast: “Duqu- Precursor to the Next Stuxnet,” Presented by Symantec

The company also shared some additional discoveries and insights from its researchers during its analysis:

• It is premature to describe Duqu as “Stuxnet 2.”

• The Duqu infrastructure is still active despite the deactivation of the CC server; new drivers have been discovered after the original CC server was deactivated, indicating that a second CC network is currently active.

• Duqu is the first known modular plugin rootkit.

Advertisement. Scroll to continue reading.

• While the Duqu code is simple, the fault-tolerant architecture is impressive; the writers anticipated discovery and deactivation of the CC network and planned for it. Alternative infection and control methods have been incorporated, and the modular nature allows for expansion and the addition of new functionality at a later date.

• The techniques used for concealing data for exfiltration are good. NSS has developed additional tools to aid in detecting these files.

• Given the complexity of the system (solid driver code plus impressive system architecture) it is not possible for this to have been written by a single person, nor by a team of part-time amateurs. The implication is that, given the requirement for multiple man-years of effort, that this has been produced by a disciplined, well-funded team of competent coders.

• It is too early to attribute authorship.

• Many researchers are claiming definitively that the Duqu authors had access to the original Stuxnet source code. This has not been proven. It is possible for anyone to reverse engineer the original Stuxnet code to the point where it can be modified and recompiled.

• There is no possible explanation for the production of such a sophisticated and elegant system merely to steal the information that has been targeted so far. Why go to all this trouble to deploy a simple key-logger? Given that there are additional drivers waiting to be discovered, we can liken Duqu to a sophisticated rocket launcher – we have yet to see the real ammunition appear.

• The ultimate target is something far more valuable than personal information or credit card numbers. It is not likely that this has been developed with simple mercenary intentions – the target is much higher level.

• What we have seen so far is merely the first stage in a multi-stage attack – we have not heard the last of Duqu.

Earlier this week it was revealed that the attackers behind Duqu used a Microsoft Windows zero-day as part of their attack campaign. On Thursday Microsoft released a workaround to address the zero-day bug while it continues to work on a permanent fix.

In addition to announcing the scanning tool, NSS Labs said it would make its IDA Pro databases available and complete reversed code for Duqu to bona fide researchers who are interested in performing their own analysis of the code, scripts and dropped files. The scanning tool can be downloaded here.

Watch the On Demand Webcast: “Duqu- Precursor to the Next Stuxnet,” Presented by Symantec

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.