NSS Labs Release Duqu Analysis and Detection Tool

Those interested can closely collaborate with their research team

By on November 5th, 2011 11:05 GMT

Researchers and online security enthusiasts can make good use of a tool that will scan a system for traces of the now infamous Duqu malware which has posed a lot of problems for companies around the world.

NSS Labs published a script that should detect all the Duqu drivers installed on a system, thus allowing security experts to further analyze the “functionality, capabilities and ultimate purpose of DuQu.”

In the tests made so far, the tool proved it can successfully detect all the drivers with a zero false positive rate. The advanced pattern recognition techniques it relies on, allow the app to detect even new drivers as they are discovered.

Since it was developed, two new Duqu drivers were discovered and the detection software managed to identify them easily, an update not being required.

Those who wish to do so are welcome to closely collaborate with the NSS team which will make available their databases and complete reverse code. The samples identified by the application can be provided to NSS researchers to help them better understand the threats posed by the malicious element.

In addition to the tool, the security experts listed their findings related to the piece of malware.

It seems that Duqu contains similar code and utilizes similar techniques to Stuxnet. More precisely, it seems to make use of digital certificates that appear as legitimate, but it's far too early to describe it as Stuxnet 2.

Other findings show that it was created to deactivate itself after a certain period of time, in most cases after 36 days, but this feature can be changed according to the requirements of its mission.

“There is no possible explanation for the production of such a sophisticated and elegant system merely to steal the information that has been targeted so far. Why go to all this trouble to deploy a simple key-logger? Given that there are additional drivers waiting to be discovered, we can liken DuQu to a sophisticated rocket launcher – we have yet to see the real ammunition appear,” wrote the researchers.

Comments