1
Investigation: Duqu: The Steal Everything attitude! on Sat Nov 26, 2011 10:29 am
DragonMaster Jay
Site Owner
Duqu is a fairly new, and sophisticated trojan. Security experts are not sure how much it is related to the Stuxnet worm, however, the functionality of both type of threats is too similar.
Not sure if Duqu is just a fork of Stuxnet, or if the same developers made both of these nasty threats!
The biggest difference is that Stuxnet can replicate across a network, however, Duqu cannot!
Duqu explots a flaw in a Microsoft Word document that exploits the CVE-2011-3402 vulnerability. It contains code to inject to Win32k.sys, at the highest privilege level. The 0 day exploit was able to gain root level.
This article contains more information about the exploit and flaws, and what Microsoft has done to help workaround it, so the malware can be removed/prevented: http://www.helpmyos.com/t2578-cheetah-fast-update-duqu-kernel-flaw-workaround-released-by-microsoft
This toolkit can detect instances of Duqu on the machine and other such traces: http://www.crysys.hu/duqudetector
There are two known info stealing components and seven user-to-kernel level drivers used in the distribution of this malware.
There is speculation that the Command & Control (C&C) server is no longer active in either India or Belgium.
We're continuing watching this threat here at Cheetah-Fast and will update this thread when new details come in...
You may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats.
Not sure if Duqu is just a fork of Stuxnet, or if the same developers made both of these nasty threats!
The biggest difference is that Stuxnet can replicate across a network, however, Duqu cannot!
Duqu explots a flaw in a Microsoft Word document that exploits the CVE-2011-3402 vulnerability. It contains code to inject to Win32k.sys, at the highest privilege level. The 0 day exploit was able to gain root level.
This article contains more information about the exploit and flaws, and what Microsoft has done to help workaround it, so the malware can be removed/prevented: http://www.helpmyos.com/t2578-cheetah-fast-update-duqu-kernel-flaw-workaround-released-by-microsoft
This toolkit can detect instances of Duqu on the machine and other such traces: http://www.crysys.hu/duqudetector
There are two known info stealing components and seven user-to-kernel level drivers used in the distribution of this malware.
There is speculation that the Command & Control (C&C) server is no longer active in either India or Belgium.
We're continuing watching this threat here at Cheetah-Fast and will update this thread when new details come in...
You may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats.
..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner
Kaspersky Anti-Virus 2012: Click HereContribute/donate to our site
Mon May 21, 2012 7:06 pm by 
