Research Lab Offers Duqu Detection and Removal Tool – Network World
Microsoft is usually pretty good at responding to threats, but it's been a little slow on the draw with the Duqu malware, a.k.a. Son of Stuxnet. Yes, it has offered a work-around to protect against it, but the company has yet to offer adequate protection, detection and removal of the malicious software. Fortunately, a third party has come to the rescue.
The Laboratory of Cryptography and System Security (CrySyS), which initially found the Duqu virus, has released a toolkit to detect and remove the virus from affected systems. The Duqu Detector Toolkit v1.01 is open source, with the code fully available for download.
Duqu is a nasty piece of work that may or may not be based on the Stuxnet virus, depending on whom you ask. Some security researchers have said yes while others disagreed.
Stuxnet was specifically designed to take down the industrial control systems in Iran's nuclear power plants. Duqu has a broader use. It has been designed to gather information on an infected party that would be used in a future cyber attack. So it looks around for weaknesses in your armor and tells the future attack where you are vulnerable.
The good news for some (like me) is that Duqu only targets 32-bit Windows. So if you are running 64-bit Windows 7, you're good. You just have to deal with the millions of other malware pieces out there.
Dell's SecureWorks noted that the two Trojans operate much in the same way. Both use a kernel driver to decrypt and load encrypted DLL (Dynamic Load Library) files. The kernel drivers serve as an "injection" engine to load these DLLs into a specific process. Dell notes this trick is not unique to either Duqu or Stuxnet.
Dell also notes the kernel drivers for both Stuxnet and Duqu use many similar techniques for encryption and stealth, such as a rootkit for hiding files. Again, these techniques are not unique to either Duqu or Stuxnet.
Microsoft pushed out an emergency workaround last week, which shuts off access to T2EMBED.DLL, the library Duqu targets for its injection. However, Patch Tuesday came and went without a fix. That's not unusual. Microsoft will skip a Patch Tuesday for the sake of getting it right the first time. The only thing more embarrassing than an exploit is screwing up the patch to a malware exploit.
The CrySyS toolkit is based on signature- and heuristics-based methods and is able to find traces of infections where components of the malware are already removed from the
system.
"We created the toolkit in such a way that if a real and active Duqu infection is found, then running all our tools will result in clear indications. However, a single suspicious result may just be a false positive. In any case, professional experience is needed to carefully analyse these results as well, and to have a final verdict over the findings," the company wrote in its release notes.
This entry passed through the Full-Text RSS service — if this is your content and you're reading it on someone else's site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers. Five Filters recommends: Donate to Wikileaks.
