Duqu Malware Detection Tool Released

Toolkit can throw up false positives and should only be used by professionals, researchers say.

Mathew Schwartz

November 11, 2011

3 Min Read
Network Computing logo

Has the Duqu malware got you down? Then tap the Duqu Detector Toolkit, which is designed to spot even dormant infections.

The free toolkit comes from the CrySyS Lab at the Budapest University of Technology and Economics, which was the first group to discover Duqu, identity it as likely being related to Stuxnet, as well as to discover a dropper file (installer) for Duqu that offered additional clues into how the malware would have infected computers and spread. Notably, the installer recovered by CrySyS was a malicious Word document (.doc) file, although security researchers said the malware may have been spread through other means as well. Unlike Stuxnet, however, the malware didn't have the ability to self-replicate, meaning it would only have been used in highly targeted attacks.

CrySyS said its toolkit, which includes four command-line-executable components, intentionally includes "very simple, easy-to-analyze program source code ... to check that there is no backdoor or malicious code inside." That way, potential users can easily validate the source code before using it in highly specialized environments, such as those related to critical infrastructure.

[Vulnerable industrial control systems are found in many industries. For example, Prisons May Be Vulnerable To Stuxnet-Style Attack.]

That's pertinent since the research done to date on Duqu suggests that the malware was designed for industrial espionage--specifically to steal industrial control system designs. Furthermore, thanks to an exploit built into the malware, it has the ability to spread to network-connected systems, even if they're not Internet-connected. In other words, it was designed to target highly sensitive environments that might not be running any extraneous software, including antivirus, and which might now need a Duqu removal tool.

CrySyS said its detector toolkit "combines simple detection techniques to find Duqu infections on a computer or in a whole network." Those techniques include signature-based and heuristics-based scanning, which can "find traces of infections" even if some Duqu components were already excised. "The intention behind the tools is to find different types of anomalies--e.g., suspicious files--and known indicators of the presence of Duqu on the analyzed computer," said CrySyS.

But the lab warned that like all tools of this type, it can generate false positives. "We created the toolkit in such a way that if a real and active Duqu infection is found, then running all our tools will [result] in clear indications," according to CrySyS. "However, a single suspicious result may just be a false positive. In any case, professional experience is needed to carefully analyze these results as well, and to have a final verdict over the findings."

What should an organization do if it discovers a Duqu infection that doesn't appear to be a false positive? "First of all, don't panic," according to CrySyS. "In Duqu infections, forensics is very important, so instead of deleting files, start [a] careful process to save forensics material (memory dump, whole disc copy), but of course you might need additional steps, like lock-down of the subnetwork." But above all, it said, "hire professionals to handle your problem."

To date, Microsoft has detailed a workaround for the zero-day vulnerability that researchers unearthed in the Duqu source code, which involves a font parsing flaw in the TrueType engine in 32-bit versions of Windows. That vulnerability would have helped the malware to spread and infect its target without being detected. But Microsoft has yet to issue a patch that fixes the flaw exploited by Duqu.

About the Author(s)

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights