Open-source toolkit finds Duqu infections
A componet of the toolkit can also give an administrator insight into what data was stolen
IDG News Service - The lab credited with discovering the Duqu malware has built an open-source toolkit that administrators can use to see whether their networks are infected.
The Duqu Detector Toolkit v1.01 looks for suspicious files left by Duqu, which has created a buzz in the security community given its stealthy nature and some characteristics it shares with another famous piece of malicious software, Stuxnet.
The Laboratory of Cryptography and System Security (CrySys), part of Budapest University of Technology and Economics based in Hungary, wrote in its release notes that the toolkit, which is composed of four components, looks for strange files that mark an infection.
CrySys said that the toolkit should detect a real active Duqu infection, but it is possible to get a false positive, so it cautioned that administrators will need to analyze the results.
Forensic stand-alone tools such as the one CrySys developed are important since it will give Duqu victims a better image of how they were attacked, said Costin Raiu, director of the global research and analysis team for Kaspersky Lab. Antivirus software does not give the same insight and focuses on instead on detecting and blocking an attack.
"The toolkit released by CrySys Lab is top class," Raiu said. "Of course, all of this can be done 'manually,' but these tools make it much easier to spot anomalies in Duqu-infected computers."
The toolkit also has a component that could let victims figure out what data Duqu has stolen. Costin said stolen data is stored in files ending in "DQ" -- hence the malware's name -- and in "DF."
"I'm sure that any victim wants to know what was stolen from them," Raiu said.
At least one other company has released a detection tool for detecting Duqu. NSS Labs' tool is a script looks for certain strings within drivers employed by Duqu.
Microsoft is in the process of creating a patch for the software vulnerability used by Duqu to infect computers. CrySys is also credited with discovering that Duqu used a previously unknown Windows vulnerability to infect computers after examining an installer file.
A Duqu infection could occur if a person was tricked into opening a malicious Microsoft Word document sent by e-mail to a victim. The vulnerability is in Windows' Win32k TrueType font parsing engine. Microsoft has published a tool to temporarily block attacks until the patch is ready.
Send news tips and comments to firstname.lastname@example.org
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts