Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source Tool Scans For Duqu Drivers

Posted by timothy on from the my-system-is-duqu-free dept.

wiredmikey writes "A new open source scanning tool has been released by engineers at independent security testing firm NSS Labs that can be used to detect Duqu drivers installed on a system. The tool was developed with the goal of discovering any additional drivers, and to enable researchers to learn more about the functionality, capabilities and ultimate purpose of the Duqu malware."

64 comments

  1. Windows virus detector in python? by lpt1 · · Score: 4, Informative

    I like the effort, and appreciate the tool, but how many windows users have python installed? ;>

    1. Re:Windows virus detector in python? by lennier1 · · Score: 1

      That will probably be addressed at a later point.
      Turning Python source into an executable isn't exactly rocket science.

    2. Re:Windows virus detector in python? by Anonymous Coward · · Score: 0

      C:\Python32>python.exe DuquDriverPatterns.py
          File "DuquDriverPatterns.py", line 991
              patternsFound = {}
                                                  ^
      TabError: inconsistent use of tabs and spaces in indentation
      is this a correct usage of the program

      and does this mean it hasnt dound any instances?

    3. Re:Windows virus detector in python? by Anonymous Coward · · Score: 0

      Have you seen the script? It's piss easy, in fact I might rewrite it in C++ right now...

    4. Re:Windows virus detector in python? by Anonymous Coward · · Score: 0

      A copy/paste of the source code from teh web page will loose the indentation which is important for python code.
      Try downloading the raw file.

    5. Re:Windows virus detector in python? by ardeez · · Score: 1

      Yup, loose indentation is a real problem in Python.

      --
      don't be a spelling loser
    6. Re:Windows virus detector in python? by Anonymous Coward · · Score: 0

      well d'uh!
      i did d/w the RAW file, executed and it resultet in the same error message.

      Also i tried to make an .exe from this but py2exe only works with lower ver of python
      i wanted to upload it to rapidshare for n00b users like me - click and run.
      i found another way to freze scripts - cx_freeze but i am giving up
      please someone who is more tech savve compile this into a standalone binary
      and provide it for the n00bsters. k0xbai

    7. Re:Windows virus detector in python? by Anonymous Coward · · Score: 0

      the for indent in is space-based, the rest are tabs; you need to change them to be the same. Also, if you've using python 3.x remember to change
      print stuff
      to
      print(stuff)

    8. Re:Windows virus detector in python? by r00t · · Score: 0

      I like the effort, and appreciate the tool

      You'd rather these adversaries fight with regular weapons???? (rifles, air dropped bombs, car bombs, silenced pistols, choke cords, polonium tea, cruise missiles, tanks, nuclear devices...)

      I don't like the effort, and I don't appreciate the tool. I'm sure Mohamed Saher would like us to help out with his tool, but no thanks. Some countries sorely need to get pwned, and I applaud all efforts to do so.

    9. Re:Windows virus detector in python? by sgt+scrub · · Score: 1

      They were even nice enough to import os and use os.path.join so it would be cross platform. These guys know something the rest of us don't?

      --
      Having to work for a living is the root of all evil.
    10. Re:Windows virus detector in python? by jrumney · · Score: 1

      Yup, loose indentation is a real problem of Python.

      FTFY

    11. Re:Windows virus detector in python? by twrake · · Score: 1

      To install python on windows

      http://python.org/ftp/python/3.2.2/python-3.2.2.msi

      My problem is that the .py file seems to be coded as HTML. Perhaps it is just that darn time change...

    12. Re:Windows virus detector in python? by twrake · · Score: 1

      Stupid!I downloaded the page with source code encoded.I need more caffine.

    13. Re:Windows virus detector in python? by Anonymous Coward · · Score: 0

      I have the same problem in running the script under windows ... also opening it with the python shell always gives errors
      about inconsistent use of tabs and spaces in indentation, does anyone has a clue about this?
      Using python 3.2.2 x64 down from this link :

      http://www.python.org/ftp/python/3.2.2/python-3.2.2.amd64.msi

    14. Re:Windows virus detector in python? by Anonymous Coward · · Score: 0

      Obligatory:

      Yup, loose indentation is a real problem of sloppy programmers.

      FTFY

    15. Re:Windows virus detector in python? by Anonymous Coward · · Score: 1

      Indentation should not be a requirement of a programming language. It should be there only for readability purposes. So yes this is a failure of python.

    16. Re:Windows virus detector in python? by Anonymous Coward · · Score: 0

      just scan from a live linux cd geniuses... the drivers are probably hidden in a running windows system, anyway...

    17. Re:Windows virus detector in python? by kiddygrinder · · Score: 1

      should? nice argument.

      --
      This is a joke. I am joking. Joke joke joke.
    18. Re:Windows virus detector in python? by Anonymous Coward · · Score: 0

      Try IDLE, a python ide avail for windows, free easy to install, comes with various add ons
      heres a couple of links

      https://secure.wikimedia.org/wikipedia/en/wiki/IDLE_%28Python%29

      http://docs.python.org/library/idle.html

      http://www.python.org/getit/

  2. Please stop helping Iran and friends by r00t · · Score: 0

    Look, whoever is doing this...

    1. is doing good

    2. probably will resort to bombs, cruise missiles, and/or sneaky poisoning if this doesn't work

    1. Re:Please stop helping Iran and friends by Mr.+Freeman · · Score: 2

      You idiot. This has nothing to do with stuxnet. Yes, it's very similar in how it works, but it serves a completely different purpose. Duqu isn't targeting Iran or any industrial/commercial automation and control systems. I determined this information from 10 seconds of research through wikipedia. Seriously, look stuff up before blindly commenting on it.

      --
      -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
    2. Re:Please stop helping Iran and friends by Charliemopps · · Score: 2

      until they decide to use the technology on us. Then it will be bad. At least we don't have to worry about them assassinating a US citizen right?

    3. Re:Please stop helping Iran and friends by Anonymous Coward · · Score: 0

      How do you know Duqu was not commissioned by Iran?

    4. Re:Please stop helping Iran and friends by r00t · · Score: 1

      It's thought to be the same team, this time gathering the needed info for stuxnet version 2. Instead of attacking SCADA, Duqu researches SCADA systems. It's getting passwords, certificates, and other goodies needed to make stuxnet version 2 a huge success.

    5. Re:Please stop helping Iran and friends by Anonymous Coward · · Score: 0

      > This has nothing to do with stuxnet.

      Iran's CERT has just announced that Duqu is an upgraded version of the "Stars" malware they detected this spring. Twitter has since deleted that post for guess what reasons, but Kaspersky Lab's antivirus blog preserved it here:
      http://www.securelist.com/en/images/pictures/klblog/208193213.png

      We now know that Duqu is a tool, which the axis of New York - Tel-Aviv used to obtain digital documents showing Iran is working on nuclear warhead designs.

      The only problem is they are like 25 years late. I mean Mordechai Vanunu, a jewish nuclear technician turned peace activist, who converted to christianity in 1986 and promptly published many documents and photos about the zionist A-bomb manufacturing activity at the Negev Dimona rector. At that time the world couldn't care less, the jews were still a kind of a sacred cow, no matter what nasty they did. This global indifference towards zionist evil led to the first palestinian intifada in 1987.

      Yet, times change. Juding from the recent warm welcome the UNESCO's members gave to the palestinians, most of the world now strongly dislikes the zionist idea that jews are somehow "more equal" than other human races. Somehow New York - Tel-Aviv still thinks jews can make hundreds of nuclear warheads and put them on super submarines, gotten from Germany for free, while at the same time telling Iran not to get either of those, but to become a sitting duck?

      Hopefully Russia and China will offer security guarantees to Iran to block the possibility of a judeo-american attack on Teheran. Pakistan should also stand up eventually and rely on her nuclear weapons arsenal for weight to frankly tell the axis of New York - Tel-Aviv:
      1., Stay away from hurting islamic Iran
      2., Stop the drones extrajudically killing muslim people in Afghanistan and Pakistan

      Iran is in a difficult position, but already they emerged victorious from the 7-year war against Iraq, where the USA and zionists were financing, while USSR and France were arming the iraqi war effort against the lone and blockaded Iran. Yet, Iran emerged victorious at the price of her one million war dead. Persian people dearly love their motherland and they will give sons' life if that is needed to stop the zionist agressors. They know zionists and their US puppets are looking to occupy a huge judeo-empire from the Nile to the rivers of Tiger and Euphrates, as shown on their 10 agorot coinage. There would be no place for muslim people in that empire of "Greater Zion", therefore Iran is stading up for herself and to prevent the deportation of all palestinians to the barren pampas of Argentine's Tierra Fuego.

      The muslim faith full win! Allahu akbar! Ins'Allah!

  3. Gimp for Windows has Python by Anonymous Coward · · Score: 1

    If you have Gimp installed on a windows system, it has a Python executable in its Python directory. Gimp uses Python for its plugins

    1. Re:Gimp for Windows has Python by Anonymous Coward · · Score: 0

      Yeah, that really helps, thanks.

    2. Re:Gimp for Windows has Python by Mojo66 · · Score: 1

      On UNIX, if Python would come bundled with GIMP, it would be installed in /usr/bin and thus available to all applications, whereas on ingenious Windows, the default install location would be somewhere in \Program Files\ where it never gets picked up by anything.

    3. Re:Gimp for Windows has Python by gd2shoe · · Score: 1

      It doesn't have a whole lot of free (or inexpensive) software more powerful than GIMP. (It does have moderate and very expensive software that is much better than GIMP.) Now the cheep software available does tend to have a much cleaner/easier user interface than GIMP...

      --
      I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
    4. Re:Gimp for Windows has Python by Anonymous Coward · · Score: 0

      Paint.NET is free and Paint Shop Pro X4 is $50. Both are objectively better than GIMP. There are lots of other free and inexpensive raster graphics programs for Windows, as well as the high end stuff like Painter and Photoshop.

    5. Re:Gimp for Windows has Python by Anonymous Coward · · Score: 0

      This is patently untrue, as it depends on how the GIMP was built and installed.

    6. Re:Gimp for Windows has Python by gmhowell · · Score: 1

      Even the most computer illiterate person knows how to get a copy of Photoshop and a serial number on their Windows machine. This is not 'Free' as in speech software, but 'Free' as in beer. Which is really all that most people care about.

      --
      Jesus was all right but his disciples were thick and ordinary. -John Lennon
    7. Re:Gimp for Windows has Python by Anonymous Coward · · Score: 0

      Don't be too certain about that. I deploy the Esri suite of packages at work, and these tend to install Python for the purpose of writing add-ons. For Esri, you can set the install location for Python via a switch in the installer, and it defaults to c:\pythonMm (with M being major version, and m minor). I assume it'll also add this location to the Path.

  4. Ultimate purpose of Duqu by Hank+the+Lion · · Score: 1

    In Suriname / Dutch slang, "doekoe" (pronounced as "duku") means money.
    So, what would be the ultimate purpose of "Duqu"?
    To make heaps of money with it!

    1. Re:Ultimate purpose of Duqu by Anonymous Coward · · Score: 0

      The obvious purpose is to get python installed on every Windows desktop.

    2. Re:Ultimate purpose of Duqu by Splenetiatist · · Score: 1

      It was named by researchers after the files it creates , which are prefixed "~DQ".

    3. Re:Ultimate purpose of Duqu by Tomato42 · · Score: 1

      One doesn't exclude the other. Informative none the less.

    4. Re:Ultimate purpose of Duqu by Anonymous Coward · · Score: 0

      A lot more informative than some idiotic, wild guess based on slang. You know, without actually doing any research on where the name actually came from.

    5. Re:Ultimate purpose of Duqu by InlawBiker · · Score: 1

      Because its professionally written from a Stuxnet base, uses a signed driver, a new 0-day in MS Word, takes screen shots and key logs and also completely removes itself in 30-some days... It's probably a government spy program. My guess.

    6. Re:Ultimate purpose of Duqu by lennier · · Score: 1

      ...a new 0-day in MS Word.../quote>

      That right there is the main problem here.

      Why, ten years after Microsoft announced that they were "focusing on security", is commercial software from any vendor still allowed to be shipped with 0-days embedded? These things can be found with rigorous enough testing (ie, what criminal gangs are able to afford). Why then is it not a criminal offence for a company to sell software without having done this amount of testing? They are aiding and abetting criminal enterprise by allowing these security holes to exist in software they wrote.

      This isn't a game any more. It's time to get real about software security on the Internet, or get out of the industry. Stop shipping native code if you can't guarantee that you can write it 100% correctly every time. It doesn't matter how fast your word processor runs if it gets your customers pwned.

      --
      You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
  5. Then one has to ask why they didn't address it by Sycraft-fu · · Score: 1

    The GP is correct: Python is not common on Windows systems, particularly desktops. Means most users can't grab the tool and use it, which is really what you want. The more steps required for a tool to be used, the less likely people are to use it.

    1. Re:Then one has to ask why they didn't address it by Anonymous Coward · · Score: 0

      one word: py2exe

    2. Re:Then one has to ask why they didn't address it by lennier1 · · Score: 1

      Exactly!

      Weren't there plans for the gpodder client to switch to this one as well (instead of creating the package manually)?

  6. Re:why? by justcauseisjustthat · · Score: 1

    non-diverse corporate systems are the easiest to attack, right behind Windows

  7. Not much of a virus by jamesh · · Score: 1

    Seriously... what sort of a virus/trojan/worm makes its presence known by leaving the driver files around for any old userspace app to peruse???

    Every time I come across a virus I am kind of disappointed at how easy they are to detect. They hook this and that, but then go and kill your antivirus software - a dead giveaway. That wouldn't trip up most home users, but then the malware also makes so many TCP connections that internet browsing doesn't work anymore, which means the user either wipes it and reinstalls, or takes it into the shop to get fixed. Actually finding where the thing is hiding is still a bit of a challenge, but the fact that they kill AV tools and pretty much anything from sysinternals, and the egress traffic they generate, is a dead giveaway that something is hiding there.

    OTOH... maybe the perfect virus does exist and it's everywhere but nobody knows they have it...

    1. Re:Not much of a virus by da8add1e · · Score: 1

      yeh it's called windows :P

    2. Re:Not much of a virus by Splenetiatist · · Score: 1

      Every time I come across a virus I am kind of disappointed at how easy they are to detect.

      You're disappointed by badly written viruses?

    3. Re:Not much of a virus by dragonturtle69 · · Score: 1

      OTOH... maybe the perfect virus does exist and it's everywhere but nobody knows they have it...

      It is the process that appears to do nothing that is a real concern.

      --
      "What luck for the rulers that men do not think." - Adolph Hitler
    4. Re:Not much of a virus by Johann+Lau · · Score: 1

      "Every time I come across a virus I am kind of disappointed at how easy they are to detect"

      maybe that's because you only come across those that are detectable by your tools? ^^

    5. Re:Not much of a virus by jamesh · · Score: 1

      "Every time I come across a virus I am kind of disappointed at how easy they are to detect"

      maybe that's because you only come across those that are detectable by your tools? ^^

      You stopped reading before the last line?

    6. Re:Not much of a virus by Johann+Lau · · Score: 1

      why did that last line not make you realize the pointlessness of your post?

      are you "coming across" viruses by any other ways of them killing tools? if not, why would it surprise you that you only come across such blatant viruses? the other way I guess would be a warning from the AV before anything gets executed... does that disappoint you, too? the virus has a choice -- turn off the AV before it gets updated, and risk the user noticing (and do you really think everybody does? oh we all wish they would, but that is hardly the case), or don't turn off the AV, and be more or less SURE to get removed at some point, wether the user has a clue or not, because it happens automatically and/or with big popups.

      oh, and sysinternal tools aren't "easy" -- when you take the actual target demographic of most viruses into account. even paying attention to the AV tray icon is too much too ask for some. but dabbling with security tools? yeah, right. so in practice, that is already perfect. where do you think botnets come from? forgotten corporate servers -- or home computers of people who simply have not the faintest idea of what is going on in their machine? maybe I'm a cynic, but I think you need a reality check :P

    7. Re:Not much of a virus by Anonymous Coward · · Score: 0

      "Every time I come across a virus I am kind of disappointed at how easy they are to detect"

      maybe that's because you only come across those that are detectable by your tools? ^^

      Er...That's the point.

      Virus scanning tools are not new. The basic principals virus scanners use are reasonably well understood. It's not hard for someone to predict what behavior will wander across a virus scanner's notice.

      And yet, it's still the case that the vast majority of viruses in the wild scream "I'm a virus" at the top of their lungs. And get found. And get patched. Sure, you get 2-3 days of press out of it. But it's amazing how many people in possession of a zero-day exploit, the keys to the kingdom, do such a half-ass job cashing in. Most viruses are bad software. And while I'm grateful for being blessed with dumb enemies, it's amazing people still try so many things that they should know won't work.

      The day I worry about is the one where we stop having "ZOMG new virus!" e-mails every few weeks. That's when we'll know the virus writers have finally wised up to the point that we're really screwed.

  8. but Microsoft promised by Anonymous Coward · · Score: 0

    Didn't Microsoft promise that they were going to run their exploit detection tools on all their software.

    What ever came of that ?

  9. space indentation & beauty of python portabili by Anonymous Coward · · Score: 0

    File "DuquDriverPatterns.py", line 991
            patternsFound = {}
                                                ^
    TabError: inconsistent use of tabs and spaces in indentation

  10. Not working. How can I download the script? by Anonymous Coward · · Score: 0

    download 1
    Win XP, Python 3.2.2, script downloaded by 'save as' clicked on file name. Result - parts html of website included in PY file.

    c:\Program Files\python32>python.exe DuquDriverPatterns.py
        File "DuquDriverPatterns.py", line 4
           
            ^
    SyntaxError: invalid syntax

    ==-=-=-=
    download 2
    Script copied

    c:\Program Files\python32>python.exe du.py
        File "du.py", line 991
            patternsFound = {}
            ^
    IndentationError: expected an indented block

    =-=--=-=
    download 3
    ahhh i found it, download and zipped version!! AND FAIL AGAIN?

    c:\Program Files\python32>python.exe DuquDriverPatterns.py
        File "DuquDriverPatterns.py", line 991
            patternsFound = {}
                                                ^
    TabError: inconsistent use of tabs and spaces in indentation

    -=-=-=-=-=-=-

    SIMPLE QUESTION. HOW CAN I DOWNLOAD AND EXECUTE THIS FILE WITHOUT ERRORS????

    1. Re:Not working. How can I download the script? by Almost-Retired · · Score: 1

      I did the copy/paste myself, from that web page and it sucks to have to fix all the gawddamned tabs the html engine or the copy paste inserts needlessly. Where the hell is the download button?

      But I did it, good enough that it runs, but its done instantly, so I guess I try my hand at editing a real python file to put in some prints and see what is null, it pays no attention to what would be argc[2].
      If anyone has a clue what this line is supposed to do on a linux box, speak up, python total new bee here.

        rootdir = sys.argv[1]

      If its supposed to take a cli argument, how is it passed to a python script?

      Cheers, Gene

    2. Re:Not working. How can I download the script? by Bodhammer · · Score: 1

      python.exe DuquDriverPatterns.py c:

      --
      "I say we take off, nuke the site from orbit. It's the only way to be sure."
    3. Re:Not working. How can I download the script? by Almost-Retired · · Score: 1

      That is obviously for winderz, this is linux. I finally hardcoded the script for /, but that is too wide a brush and eventually reset the system, probably out of ram, only 4Gb in this box.

      Thanks & Cheers, Gene

  11. I'm one who does (with a reason) by Anonymous Coward · · Score: 0

    I co-wrote & use a PyThon 2.7x based system for populating a custom HOSTS file from many reputable & reliable sources (around 15 total), & it works non-stop, every 15 minutes here (which the system also removes duplicates/normalizes the data also) doing so... I moved from a system built in Delphi (2002-2010) & before that, from Access (only did part of the FULL job the last 2 did though, 1997-2002).

    Why'd I go Python?

    Well... because it's pretty much "write once/run anywhere" multi-platform capable, & I tend to stick by 2.7x compatible code (as I heard there's still "1/2 baked-ness" type issues w/ 3.x series still)... & there you are.

    * Anyhow/anyways: So - Yes, there ARE Windows users who ave it online, myself being one of them!

    APK

    P.S.=> Still, I'll give you 1 thing - I'm probably a rarity though, I'll give you that!

    ...apk

  12. U CAN kill Duqu w/ Recovery Console by Anonymous Coward · · Score: 0

    You can use your installation media to clear bootsector malware of any kind!

    ---

    1.) Boot up to RECOVERY CONSOLE (read only environs of the install media, use this)

    2.) Use FixMBR to FIRST fix a bootsector

    3.) OPTIONAL: IF a bogus rootkit protects that with a driver (ala hello_tt.sys, from "the indestructible rootkit" a month or so ago)? You can use the DISABLE command to stop said "bogus bootsector protector" driver (again, hello_tt.sys in the case above), which upon reboot disables the protective driver from loading and protecting its bogus bootsector!

    ---

    The KNOWN drivers to disable, are as follows:

    cmi4432.sys, jminet7.sys, nfrd965.sys, & adpu321.sys 4 drivers & NETP191.PNF DLL is the usermode lib to destroy & that's covered below too on its removal a couple ways!

    (The files noted are per Symantec's updated research on it here -> http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf )

    (After this "optional step" (optional for rootkits that just use a bogus bootsector that is), because this thing uses drivers, perform step #1 once more, & you SHOULD be ok - this is how you kill these types of rootkits from a read-only inviolate environs, & one that works PRIOR to a rootkit being able to deceive usermode antivirus/antispyware/antimalware tools in general!)

    Mind you - This is about a 5 MINUTE FIX too, very fast...

    * You do those steps, in THAT exact order, with most ANY rootkit (provided their drivers do NOT protect the reg init. area for drivers (which isn't always the case in rootkits, using drivers for that))?

    It's history!

    (AND, yes, with tools you already OWN if you're a Windows user!)

    NOW - Should the rootkit "haul in" more malware while you're in usermode operations?

    Well, 2 ways to kill that too (sometimes, rootkits do that also in usermode):

    ---

    A.) RECOVERY CONSOLE bootup, use the DEL command on the offending malware's files...

    OR

    B.) ProcessExplorer.exe (to first find the offending exe or, dll/lib even if loaded under another process, infesting/infecting it, to first halt the parent callng process & delete the malware dll/lib on disk being called on).

    ---

    "Here endeth the lesson"...

    APK

    P.S.=> LINUX IS NOT NEEDED AT ALL TO KILL THIS THING & as long as this thing's drivers DO NOT PROTECT THE REGISTRY INIT./LOAD AREAS FOR THOSE DRIVERS (& as far as I have read about its current design, it does not)? This technique will work to make it "history" ... apk

  13. CrySyS duqu detector toolkit by boldi · · Score: 1

    CrySys Lab released a new open-source toolkit to detect duqu traces (possibly some file left after duqu uninstalled itself after 30-36 days) and running Duqu instances.
      http://www.crysys.hu/duqudetector/
    Our tool combines heurestic and signature based approach, e.g. it calculates entropy for .PNF files and reports those suspiciously random ones.