Son of Stuxnet

Bitdefender releases Duqu removal tool

 

The Bitdefender stand-alone removal tool is getting negative feedback, therefore I am delinking to the file
-hXXp://www.bitdefender.com/news/bitdefender-offers-free-removal-tool-for-duqu-or-son-of-stuxnet-rootkit-2238.html-

Note that most Anti-Virus vendors are now offering protection from this pest.

 

I am looking for Duqu install tool.

 

Two, very interesting articles from Kaspersky Lab
http://www.securelist.com/en/blog/208193178/Duqu_FAQ
http://www.securelist.com/en/blog/208193182/The_Mystery_of_Duqu_Part_One

Kaspersky Lab said

 

Lot of innovation here. Does it work on Windows 8?

 

that,s sad indeed.

 

Don't worry...maybe you find it...maybe it finds you?

 

That'd be a good Real test

 

Hungarian Lab found Stuxnet-like Duqu malware

 

New Analysis Questions Origins of Duqu Trojan

The Mystery of Duqu: Part Two

 

Microsoft's MRT Tool scans, on-demand for Stuxnet

 

Kaspersky Lab detects Duqu incidents in Iran and Sudan
Researchers say that each infection is unique

Published: 11:19 GMT, 27 October 11

Security vendor Kaspersky Lab has identified infections with the new Duqu malware in Sudan and, more importantly, Iran, the main target of the Trojan's predecessor - Stuxnet.

Duqu took the security industry by storm last week when the Hungarian research laboratory Crysys shared its analysis of the new threat with the world's top antivirus vendors.

Believed to be closely related to the Stuxnet industrial sabotage worm, from which it borrows code and functionality, Duqu is a flexible malware delivery framework used for data exfiltration.

The main Trojan module has three components: a kernel driver, which injects a rogue library (DLL) into system processes; the DLL itself, which handles communication with the command-and-control server and other system operations, like writing registry entries or executing files; and a configuration file.
Four incidents detected in Iran

The secondary module is a keylogger with information-stealing capabilities, which was discovered together with the original Duqu version. It's not known with certainty when the malware appeared in the wild, but the first sample was submitted to the VirusTotal service on 9 September from someone in Hungary.

Since then Kaspersky Lab has identified multiple variants, some of which were created on 17 October, and were found on computers in Sudan and Iran. "We know that there are at least 13 different driver files (and we have only six of them)," the Kaspersky researchers said.

Each of the four incidents detected in Iran are interesting in their own way, aside from the fact that they occurred in a country widely believed to have been Stuxnet's primary target.

One incident involved two infected computers located on the same network, with one containing two separate Duqu drivers. In a separate case, the network where the infected computers resided recently registered two attacks that targeted a vulnerability exploited by both Stuxnet and the Conficker worm.

It's worth pointing out that researchers still don't know how Duqu reaches the targeted systems, so these network attacks might serve as an indication of how the infection happens.
The DLL is differently encoded in each attack

"Duqu is used for targeted attacks with carefully selected victims," Kaspersky's researchers said. However, so far there is no indication that any of the victims are linked to Iran's nuclear program, like in Stuxnet's case; Certificate Authorities (CAs), like in other Iranian attacks; or even specific industries, as suggested by other reports.

Another interesting discovery is that each Duqu infection is unique and results in components with different names and checksums. "Analysis of driver igdkmd16b.sys shows that there is a new encryption key, which means that existing detection methods of known PNF files (main DLL) are useless. It is obvious that the DLL is differently encoded in every single attack," the antivirus vendor's researchers said.

Because Duqu's architecture is very flexible, it can update itself, change command-and-control (C&C) servers and install other components at any time. In fact, Kaspersky didn't find the original keylogger module on any of the infected systems in Sudan or Iran, meaning that it was either encoded differently or replaced with another one.

"We cannot rule out that the known C&C in India was used only in the first known incident [...] and that there are unique C&Cs for every single target, including targets found by us," Kaspersky's researchers also noted.

They also believe that the people behind Duqu are reacting to the situation and are not going to stop. As the hunt for new information continues, we'll likely see more developments in the days to come.

http://news.techworld.com/security/3313855/kaspersky-lab-detects-duqu-incidents-in-iran-and-sudan/

 

New findings and analysis from ESET

ESET whitepaper, Stuxnet under the microscope PDF

 

India Seizes Equipment Linked to Duqu Attack - Threatpost

 

Finally, Duqu becomes more interesting than just another day on the Internet:

http://www.winrumors.com/microsoft-...ows-vulnerability-discovered-in-duqu-malware/


Wonder how much AV vendors will overhype this in an attempt to make money.

 

Critical Windows zero-day bug exploited by Duqu

Trojan used booby-trapped Word file to spread

Full Article, More from Kaspersky's ThreatPost

 

From the article:

http://www.theregister.co.uk/2011/11/01/duqu_exploits_windows_zero_day/

A yawn and another ho-hum.

Paraphrase:

Where have all the real system administrators gone?
Have not benefited from past occurrences, not a one
When will they ever learn?​

June 2009
https://www.wilderssecurity.com/showthread.php?t=244726



regards,

-rich

 

Are they kidding or are they clueless??

 

This advice is just not applicable in the business world. The documents are targeted, and do not appear suspicious.

This topic has been covered elsewhere -- I can't locate the thread, but Wilders Member/Moderator Peter2150 discussed the business office scenario -- he has a small business office.

His solution is Sandboxie, so that if the secretaries open something that turns out to be malicious, they are covered.

Back then (2009), I sent Pete the RTF file mentioned in my link above, and the exploit went nowhere.

Many solutions are available to prevent these types of exploits from running their trojan executables.


----
rich

 

Right, the article seems to indicate it's a word document, so it probably may not appear suspicios in most cases. It would seem, from my limited point of view at least, a nice combination of a Standard account and anti-executable approach should stop the payload.

 

News from around the web would indicate this is newsworthy. I suppose the onus is now on Microsoft to make a formal statement.

This may be forthcoming via the MS Official Blog

 

Hopefully, Microsoft will address two issues:

A workaround and/or forthcoming patch.

A statement that this (running an executable payload) doesn't necessarily have to happen with proper security policies/products in place.


----
rich

 

This is what puzzles me. Is this exploit so diabolicle, that even with proper anti-executable policies in place, especially in a Standard user account, can't stop this exploit? The implication of the statement "no workarounds available" is that the payload will blow right past these type measures in place.

 

(Reuters) - Microsoft Corp said hackers exploited a previously unknown bug in its Windows operating system to infect computers with the Duqu virus, which some security experts say could be the next big cyber threat.

"We are working diligently to address this issue and will release a security update for customers," Microsoft said on Tuesday in a short statement.

http://www.huffingtonpost.com/2011/11/02/duqu-virus-microsoft-windows_n_1071147.html