DuquDetector released to forensically detect pest
The researchers at the lab credited with identifying the zero-day delivery mechanism of the Duqu bot, the Hungarian Laboratory of Cryptography and System Security (CrySyS), have released a toolkit for detecting the pest, even after components of it have been removed from a system.
The DuquDetector software comprises four executable tools which in turn scan for Duqu-infected system drivers, PNF files with "suspiciously high entropy", Duqu's temporary files and PNF files with no corresponding .inf files. It places these results in a logfile for an experienced practitioner to analyse. The combination of signature and heuristics-based analysis does mean that, as with other tools for detecting anomalies, false positives can get generated.
The four tools are bundled together with a batch file for simpler execution and the source code is supplied to allow security analysts to examine and re-compile the tools after auditing. Although the tools were initially listed as open source, they weren't licensed under a standard FOSS licence. The H Security contacted CrySyS and within hours CrySyS had re-released the tools under a GPLv3 licence. The manual gives more detail about the operation of the tools which are available to download
.
NSS Labs has also released its own Duqu detector, a Python script which focuses primarily on pattern match scanning the system drivers. The BSD-licensed script is available from the developer's GitHub repository.
(djwm)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
