In association with heise online

12 November 2011, 13:46

DuquDetector released to forensically detect pest

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Pest icon The researchers at the lab credited with identifying the zero-day delivery mechanism of the Duqu bot, the Hungarian Laboratory of Cryptography and System Security (CrySyS), have released a toolkit for detecting the pest, even after components of it have been removed from a system.

The DuquDetector software comprises four executable tools which in turn scan for Duqu-infected system drivers, PNF files with "suspiciously high entropy", Duqu's temporary files and PNF files with no corresponding .inf files. It places these results in a logfile for an experienced practitioner to analyse. The combination of signature and heuristics-based analysis does mean that, as with other tools for detecting anomalies, false positives can get generated.

The four tools are bundled together with a batch file for simpler execution and the source code is supplied to allow security analysts to examine and re-compile the tools after auditing. Although the tools were initially listed as open source, they weren't licensed under a standard FOSS licence. The H Security contacted CrySyS and within hours CrySyS had re-released the tools under a GPLv3 licence. The manual gives more detail about the operation of the tools which are available to downloadDirect download.

NSS Labs has also released its own Duqu detector, a Python script which focuses primarily on pattern match scanning the system drivers. The BSD-licensed script is available from the developer's GitHub repository.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit