Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source Tool Scans For Duqu Drivers

Posted by timothy on from the my-system-is-duqu-free dept.

wiredmikey writes "A new open source scanning tool has been released by engineers at independent security testing firm NSS Labs that can be used to detect Duqu drivers installed on a system. The tool was developed with the goal of discovering any additional drivers, and to enable researchers to learn more about the functionality, capabilities and ultimate purpose of the Duqu malware."

35 of 64 comments (clear)

  1. Windows virus detector in python? by lpt1 · · Score: 4, Informative

    I like the effort, and appreciate the tool, but how many windows users have python installed? ;>

    1. Re:Windows virus detector in python? by lennier1 · · Score: 1

      That will probably be addressed at a later point.
      Turning Python source into an executable isn't exactly rocket science.

    2. Re:Windows virus detector in python? by ardeez · · Score: 1

      Yup, loose indentation is a real problem in Python.

      --
      don't be a spelling loser
    3. Re:Windows virus detector in python? by sgt+scrub · · Score: 1

      They were even nice enough to import os and use os.path.join so it would be cross platform. These guys know something the rest of us don't?

      --
      Having to work for a living is the root of all evil.
    4. Re:Windows virus detector in python? by jrumney · · Score: 1

      Yup, loose indentation is a real problem of Python.

      FTFY

    5. Re:Windows virus detector in python? by twrake · · Score: 1

      To install python on windows

      http://python.org/ftp/python/3.2.2/python-3.2.2.msi

      My problem is that the .py file seems to be coded as HTML. Perhaps it is just that darn time change...

    6. Re:Windows virus detector in python? by twrake · · Score: 1

      Stupid!I downloaded the page with source code encoded.I need more caffine.

    7. Re:Windows virus detector in python? by Anonymous Coward · · Score: 1

      Indentation should not be a requirement of a programming language. It should be there only for readability purposes. So yes this is a failure of python.

    8. Re:Windows virus detector in python? by kiddygrinder · · Score: 1

      should? nice argument.

      --
      This is a joke. I am joking. Joke joke joke.
  2. Gimp for Windows has Python by Anonymous Coward · · Score: 1

    If you have Gimp installed on a windows system, it has a Python executable in its Python directory. Gimp uses Python for its plugins

    1. Re:Gimp for Windows has Python by Mojo66 · · Score: 1

      On UNIX, if Python would come bundled with GIMP, it would be installed in /usr/bin and thus available to all applications, whereas on ingenious Windows, the default install location would be somewhere in \Program Files\ where it never gets picked up by anything.

    2. Re:Gimp for Windows has Python by gd2shoe · · Score: 1

      It doesn't have a whole lot of free (or inexpensive) software more powerful than GIMP. (It does have moderate and very expensive software that is much better than GIMP.) Now the cheep software available does tend to have a much cleaner/easier user interface than GIMP...

      --
      I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
    3. Re:Gimp for Windows has Python by gmhowell · · Score: 1

      Even the most computer illiterate person knows how to get a copy of Photoshop and a serial number on their Windows machine. This is not 'Free' as in speech software, but 'Free' as in beer. Which is really all that most people care about.

      --
      Jesus was all right but his disciples were thick and ordinary. -John Lennon
  3. Ultimate purpose of Duqu by Hank+the+Lion · · Score: 1

    In Suriname / Dutch slang, "doekoe" (pronounced as "duku") means money.
    So, what would be the ultimate purpose of "Duqu"?
    To make heaps of money with it!

    1. Re:Ultimate purpose of Duqu by Splenetiatist · · Score: 1

      It was named by researchers after the files it creates , which are prefixed "~DQ".

    2. Re:Ultimate purpose of Duqu by Tomato42 · · Score: 1

      One doesn't exclude the other. Informative none the less.

    3. Re:Ultimate purpose of Duqu by InlawBiker · · Score: 1

      Because its professionally written from a Stuxnet base, uses a signed driver, a new 0-day in MS Word, takes screen shots and key logs and also completely removes itself in 30-some days... It's probably a government spy program. My guess.

    4. Re:Ultimate purpose of Duqu by lennier · · Score: 1

      ...a new 0-day in MS Word.../quote>

      That right there is the main problem here.

      Why, ten years after Microsoft announced that they were "focusing on security", is commercial software from any vendor still allowed to be shipped with 0-days embedded? These things can be found with rigorous enough testing (ie, what criminal gangs are able to afford). Why then is it not a criminal offence for a company to sell software without having done this amount of testing? They are aiding and abetting criminal enterprise by allowing these security holes to exist in software they wrote.

      This isn't a game any more. It's time to get real about software security on the Internet, or get out of the industry. Stop shipping native code if you can't guarantee that you can write it 100% correctly every time. It doesn't matter how fast your word processor runs if it gets your customers pwned.

      --
      You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
  4. Then one has to ask why they didn't address it by Sycraft-fu · · Score: 1

    The GP is correct: Python is not common on Windows systems, particularly desktops. Means most users can't grab the tool and use it, which is really what you want. The more steps required for a tool to be used, the less likely people are to use it.

    1. Re:Then one has to ask why they didn't address it by lennier1 · · Score: 1

      Exactly!

      Weren't there plans for the gpodder client to switch to this one as well (instead of creating the package manually)?

  5. Re:why? by justcauseisjustthat · · Score: 1

    non-diverse corporate systems are the easiest to attack, right behind Windows

  6. Not much of a virus by jamesh · · Score: 1

    Seriously... what sort of a virus/trojan/worm makes its presence known by leaving the driver files around for any old userspace app to peruse???

    Every time I come across a virus I am kind of disappointed at how easy they are to detect. They hook this and that, but then go and kill your antivirus software - a dead giveaway. That wouldn't trip up most home users, but then the malware also makes so many TCP connections that internet browsing doesn't work anymore, which means the user either wipes it and reinstalls, or takes it into the shop to get fixed. Actually finding where the thing is hiding is still a bit of a challenge, but the fact that they kill AV tools and pretty much anything from sysinternals, and the egress traffic they generate, is a dead giveaway that something is hiding there.

    OTOH... maybe the perfect virus does exist and it's everywhere but nobody knows they have it...

    1. Re:Not much of a virus by da8add1e · · Score: 1

      yeh it's called windows :P

    2. Re:Not much of a virus by Splenetiatist · · Score: 1

      Every time I come across a virus I am kind of disappointed at how easy they are to detect.

      You're disappointed by badly written viruses?

    3. Re:Not much of a virus by dragonturtle69 · · Score: 1

      OTOH... maybe the perfect virus does exist and it's everywhere but nobody knows they have it...

      It is the process that appears to do nothing that is a real concern.

      --
      "What luck for the rulers that men do not think." - Adolph Hitler
    4. Re:Not much of a virus by Johann+Lau · · Score: 1

      "Every time I come across a virus I am kind of disappointed at how easy they are to detect"

      maybe that's because you only come across those that are detectable by your tools? ^^

    5. Re:Not much of a virus by jamesh · · Score: 1

      "Every time I come across a virus I am kind of disappointed at how easy they are to detect"

      maybe that's because you only come across those that are detectable by your tools? ^^

      You stopped reading before the last line?

    6. Re:Not much of a virus by Johann+Lau · · Score: 1

      why did that last line not make you realize the pointlessness of your post?

      are you "coming across" viruses by any other ways of them killing tools? if not, why would it surprise you that you only come across such blatant viruses? the other way I guess would be a warning from the AV before anything gets executed... does that disappoint you, too? the virus has a choice -- turn off the AV before it gets updated, and risk the user noticing (and do you really think everybody does? oh we all wish they would, but that is hardly the case), or don't turn off the AV, and be more or less SURE to get removed at some point, wether the user has a clue or not, because it happens automatically and/or with big popups.

      oh, and sysinternal tools aren't "easy" -- when you take the actual target demographic of most viruses into account. even paying attention to the AV tray icon is too much too ask for some. but dabbling with security tools? yeah, right. so in practice, that is already perfect. where do you think botnets come from? forgotten corporate servers -- or home computers of people who simply have not the faintest idea of what is going on in their machine? maybe I'm a cynic, but I think you need a reality check :P

  7. Re:Please stop helping Iran and friends by Mr.+Freeman · · Score: 2

    You idiot. This has nothing to do with stuxnet. Yes, it's very similar in how it works, but it serves a completely different purpose. Duqu isn't targeting Iran or any industrial/commercial automation and control systems. I determined this information from 10 seconds of research through wikipedia. Seriously, look stuff up before blindly commenting on it.

    --
    -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
  8. Re:Please stop helping Iran and friends by Charliemopps · · Score: 2

    until they decide to use the technology on us. Then it will be bad. At least we don't have to worry about them assassinating a US citizen right?

  9. Re:Please stop helping Iran and friends by r00t · · Score: 1

    It's thought to be the same team, this time gathering the needed info for stuxnet version 2. Instead of attacking SCADA, Duqu researches SCADA systems. It's getting passwords, certificates, and other goodies needed to make stuxnet version 2 a huge success.

  10. Re:Not working. How can I download the script? by Almost-Retired · · Score: 1

    I did the copy/paste myself, from that web page and it sucks to have to fix all the gawddamned tabs the html engine or the copy paste inserts needlessly. Where the hell is the download button?

    But I did it, good enough that it runs, but its done instantly, so I guess I try my hand at editing a real python file to put in some prints and see what is null, it pays no attention to what would be argc[2].
    If anyone has a clue what this line is supposed to do on a linux box, speak up, python total new bee here.

      rootdir = sys.argv[1]

    If its supposed to take a cli argument, how is it passed to a python script?

    Cheers, Gene

  11. Re:Not working. How can I download the script? by Bodhammer · · Score: 1

    python.exe DuquDriverPatterns.py c:

    --
    "I say we take off, nuke the site from orbit. It's the only way to be sure."
  12. Re:Not working. How can I download the script? by Almost-Retired · · Score: 1

    That is obviously for winderz, this is linux. I finally hardcoded the script for /, but that is too wide a brush and eventually reset the system, probably out of ram, only 4Gb in this box.

    Thanks & Cheers, Gene

  13. CrySyS duqu detector toolkit by boldi · · Score: 1

    CrySys Lab released a new open-source toolkit to detect duqu traces (possibly some file left after duqu uninstalled itself after 30-36 days) and running Duqu instances.
      http://www.crysys.hu/duqudetector/
    Our tool combines heurestic and signature based approach, e.g. it calculates entropy for .PNF files and reports those suspiciously random ones.