CrySyS Duqu Detector Toolkit v1.01 Developed by Gabor Pek (C) Laboratory of Cryptography and System Security What is this tool for? This detector toolkit combines simple detection techniques to find Duqu infections on a computer or in a whole network. The toolkit contains signature and heuristics based methods and it is able to find traces of infections where components of the malware are already removed from the system. The intention behind the tools is to find different types of anomalies (e.g., suspicious files) and known indicators of the presence of Duqu on the analyzed computer. As other anomaly detection tools, it is possible that it generates false positives. Therefore, professional personnel is needed to elaborate the resulting log files of the tool and decide about further steps. This toolkit contains very simple, easy-to-analyze program source code, thus it may also be used in special environments, e.g. in critical infrastructures, after inspection of the source code (to check that there is no backdoor or malicious code inside) and recompiling. Usage The toolkit contains 4 different executable components: FindDuquSys.exe CalcPNFEntropy.exe FindDuquTmp.exe FindPNFnoINF.exe All of these programs can be executed directly from command line. The programs accept a single optional parameter , which stands for the specification of the log file where the program should save its results. If the optional parameter is not specified, the program saves log information into duqudetector_log.txt of the working directory. During the execution of the program log information is also written to the console. For convinience, we also provide a batch file, FindDuqu.bat, which executes all 4 tools with the same log file parameter. Details and analysis of the results The toolkit detects suspicious files that can be indicators for the presence of Duqu. The toolkit may also detect new, modified versions of the Duqu threat. Duqu deactivates after a time limit and removes itself from the computer, but some temporary files could still indicate that the computer was affected by a former Duqu infection, our toolkit might identify these cases, too. The working method of our tools is as follows: FindDuquSys.exe This tool tries to find the loader executable component, the .sys kernel driver file of Duqu. It uses binary signature matching on all driver files in the system32\drivers directory. The signature components were selected in a way that possibly modified versions of Duqu might be detected as well. It is not impossible, however, that our tool can detect these signatures in legitimate files, so if any string is detected, it is just an indication for the need of detailed manual analysis of the particular file. Care should be taken that running the program might need elevated privileges to successfully test all .sys file. CalcPNFEntropy.exe The CalcPNFEntropy tool tries to find suspicious .PNF files in the windows installation. Both Duqu and Stuxnet put components in encrypted form into the %WINDIR%\inf directory with a .PNF extension. Encrypted and compressed files generally have a distinct characteristic: their entropy calculated over the binary file is larger then those of other standard binary files. Our detection tool calculates entropy of all files in %WINDIR%\inf. If any suspicious file is found where the entropy is above the threshold of 0.6, it indicates it in the log files. For real-life Duqu samples this entropy is around 0.9 according to our experience. FindDuquTmp.exe The Duqu malware got its name after the usage of temporary files beginning with ~DQ. In fact, multiple types of temporary files are used in Duqu, we try to find all related temporary files, namely: - The existence of ~DN1.tmp shows that the keylogger/infostealer component might be installed on the computer. Our tool checks files in the %TEMP% directory, i.e., only in the temporary directory of the current user! - ~DQ* files might be related to the keylogger/infostealer log files. Some parts of the files are checked against Duqu's magics and if found, indicated in the log files. - ~DF* (generally with five hexadecimal digits) are files created by some unknown part of Duqu and contain compressed files stolen from the computer. Our tool checks those files if they begin with a modified bzip magic, which shows that the file is likely related to Duqu. If such files are found, this fact is indicated in the log file. FindPNFnoINF.exe The PNF files installed by Duqu have no corresponding .inf files. Therefore, PNF files with missing .inf files are also suspicious. Our tool checks all .PNF files in %WINDIR%\inf, and indicates if some file does not have a related file with .inf extension. Sometimes, it is normal to have such files, inproper uninstallation of drivers can cause such cases, so professionals should check the results as this can easily be a false positive. How to use the tools on a large network? You can consider running our tool on every login to the domain in your network and collect log files to a central directory. Then, you can analyze the results for the whole network at a single place. Evaluation of results We created the toolkit in such a way that if a real and active Duqu infection is found, then running all our tools will results in clear indications. However, a single suspicious result may just be a false positive. In any case, professional experience is needed to carefully analyse these results as well, and to have a final verdict over the findings. Most likely this analyis can be done remotely if someone gathers the log file and all corresponding (seemingly suspicious) files on the computer, and transfers those to professionals. Liability The toolkit is provided "as is", and no guarantee or warranty is given for the results or side effects that it may produce. The use of the toolkit is at the sole risk and liability of the user. License The source code is available for evaluation purposes. The binary files can be freely used in commercial and non-commercial environments. Contact Questions and comments are welcome. The corresponding author is Dr. Boldizsár Bencsáth duqudetector@crysys.hu Laboratory of Cryptography and System Security CrySyS – http://www.crysys.hu/ Budapest University of Technology and Economics Department of Telecommunications 1117 Magyar Tudósok Krt. 2. Budapest, Hungary GPG BENCSATH Boldizsar Key ID 0x64CF6EFB Fingerprint 286C A586 6311 36B3 2F94 B905 AFB7 C688 64CF 6EFB Annexes FAQ Q: I found a false positive, it looks like X software contains the same signature. A: Please send us information on this and we'll do our best to update our tools. Q: I found traces on Duqu, what's now? A: Hire professionals to handle your problem. Q: Can I contact you to analyse our results / consult / work on some incident? A: It depends on. First of all, we have limited resources and time. However, it's part of our income to provide consulting services, so you have the chance. Q: What should I do if I find files related to Duqu? Delete all these files? A: First of all, don't panic. In Duqu infections, forensics is very important, so instead of deleting files, start careful process to save forensics material (memory dump, whole disc copy), but of course you might need additional steps, like lock-down of the subnetwork, etc. There is no space here to describe best practice, so better consult professionals. Q: Do you plan to extend this tool with feature X? A: It depends on the feedbacks we receive and our available resources. Feel free to contact us if you want to sponsor our work. How to build from scratch Basically, there are 4 main source files for the executables, respectively: findduqusys.cpp calcpnfentropy.cpp findduqutmp.cpp findpnfnoinf.cpp Furthermore, each of these source files use common functions and constants that are contained by common.cpp and common.h files. Executables are compiled by MS Visual Studio 2008 with default settings. Before comilation please make sure that one of the main source files, common.cpp and the common.h header file comprise a Visual C++ project. Note that current executables are built on a 32-bit system.