Inside the Duqu Worm's Source Code

angry tapir writes "Wrapped in the code the Duqu worm uses to infect computers is the message: 'Copyright (c) 2003 Showtime Inc. All rights reserved. DexterRegularDexter.' An analysis of the worm has also revealed that Duqu, which is similar to Stuxnet and may even have been written by the same developers, may be four years old and that it generally tries to steal information on Wednesdays."

The way it works though, via Word docs?

Via email attachments?? Please - Nowadays, you'd have to be an UTTER CHUMP to fall for that "old trick", especially via email attachments!

* MOST FOLKS should also KNOW that macros, especially autoexec macros in MS' OLE structured compound document types, can be avoided by pressing SHIFT while opening said docs - this stops autoexec macros from "firing", period... & iirc? Modern versions of Office, even older ones? They have options for disabling them too!

(Not that great for Access forms though since most are automated to open to various dataprocessing functionality type systems for end-users/workers, but still a safety measure that SHOULD be used... especially in today's "malware-ridden world"!)

* Now, it's being called "beautiful" in its interior code work, & it very well MAY BE quite elegant but... its deliver mechanism is "2nd rate", imo @ least.

APK

P.S.=> Seriously folks - if you fall for that, opening up attached documents from those you DO NOT KNOW, or @ least having antivirus/antimalware programs that are updated & current set to SCAN said attachments?

Man - honestly: You probably had it coming & especially IF you don't run antivirus/antispyware @ THE VERY LEAST, that's updated & current vs. this + other threats online (if not disable scripting in email period & doing text only) - Personally, I have its known C&C servers blocked out in firewalls & hosts files here too, in addition to using MS Security Essentials which afaik IS aware of it & has signatures vs. it...

... apk

Others disagree with you (security pros included)

In my init. post you replied to? There, I note I use a firewall too (learn to read) & per my subject-line above? Ok, here goes:

E.G. #1 - The words of a security expert, Oliver Day (SECUNIA) CLEARLY disagree w/ you:

A RETURN TO THE KILLFILE:

http://www.securityfocus.com/columnists/491

Some "PERTINENT QUOTES/EXCERPTS" to back up my points with (for starters):

---

"The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet -- particularly browsing the Web -- is actually faster now."

Speed, and security, is the gain... others like Mr. Day note it as well!

---

"From what I have seen in my research, major efforts to share lists of unwanted hosts began gaining serious momentum earlier this decade. The most popular appear to have started as a means to block advertising and as a way to avoid being tracked by sites that use cookies to gather data on the user across Web properties. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware."

Per my points exactly, no less...

Additionally - Guess who was posting about HOSTS files a 14++ yrs. or more back & Mr. Day was reading & now using? Yours truly!

(& this is one of the later ones, from 2001 http://www.furtherleft.net/computer.htm (but the example HOSTS file with my initials in it is FAR older, circa 1998 or so) or thereabouts, and referred to later by a pal of mine who moderates NTCompatible.com (where I posted on HOSTS for YEARS (1997 onwards)) -> http://www.ntcompatible.com/thread28597-1.html

---

"Shared host files could be beneficial for other groups as well. Human rights groups have sought after block resistant technologies for quite some time. The GoDaddy debacle with NMap creator Fyodor (corrected) showed a particularly vicious blocking mechanism using DNS registrars. Once a registrar pulls a website from its records, the world ceases to have an effective way to find it. Shared host files could provide a DNS-proof method of reaching sites, not to mention removing an additional vector of detection if anyone were trying to monitor the use of subversive sites. One of the known weaknesses of the Tor system, for example, is direct DNS requests by applications not configured to route such requests through Tor's network."

There you go: AND, it also works vs. the "KAMINSKY DNS FLAW" & DNS poisoning/redirect attacks, for redirectable weaknesses in DNS servers (non DNSSEC type, & set into recursive mode especially) and also in the TOR system as well (that lends itself to anonymous proxy usage weaknesses I noted above also)

PLUS?

Well, you'll also get to sites you want to, even IF a DNS registrar drops said websites from its tables as shown here Beating Censorship By Routing Around DNS -> http://yro.slashdot.org/story/10/12/09/1840246/Beating-Censorship-By-Routing-Around-DNS & even DNSBL also (DNS Block Lists) -> http://en.wikipedia.org/wiki/DNSBL as well - DOUBLE-BONUS!

---

Slashdotters've "modded up" my posts on HOSTS files in these posts also - you're outnumbered approximately 23:1 in them:

BANNER ADS & BANDWIDTH:2011 -> http://hardware.slashdot.org/comments.pl?sid=2139088&cid=36077722

HOSTS MOD UP:2010 -> http://yro.slashdot.org/comments.pl?sid=1907266&cid=34529608

HOSTS MOD UP:2009 ->

Re:I know how to find the authors!

You can say what you like about Microsoft, but you can't deny they've become a litigious patent troll that makes more money as a parasite on Android than they do form their competing product.

They'd sue anyone.