Duqu detector

CrySyS Duqu Detector Toolkit v1.24

Symantec identified a new sample of Duqu some days ago which is not detected by our FindDuquSys signature based tool. Most likely the authors play the cat and mouse game with us, so we took the next step and thanks for the Symantec sample we incorporated new signatures into v1.24.

No other modification is done - yet. We'll keep up analysis, please share possible samples on our submission link. Note that we have no information if the creators of Duqu tried to evade other detection methods of us, therefore, no modifications were made on them.

Download link:

v1.24 all files (.zip), manual (text) 

CrySyS Duqu Detector Toolkit v1.23


We are happy to introduce the Duqu Detector Toolkit v1.23 of CrySyS Lab as of 15/Mar/2012.

Besides new versions of the previous detector tools that provide usability enhancements, we now also provide two brand new detector tools. The upgraded toolkit will provide better functionality for those who have already successfully used the former version.

Changes:

- New module: FindInjectedSections.exe finds injected code in system processes (e.g., injected code in lsass.exe).

- New module: FindDuquReg finds registry entries with high entropy. (There are known examples for valid programs that put high entropy data in the registry, so false positives are possible!)

- Components now accept a log level parameter to tune how much information should be collected.

- Four different sample batch files are included that correspond to four different usage scenarios: Lazy; Normal; Plus; Rigorous. In lazy mode some components simply won't run in order to avoid false positives.

- FindDuquSys now checks the System Volume Information folder recusively if possible; this helps to find traces in System Restore.

- Sample batch file is included for modifying access rights on the System Volume Information folder

- SHA-1 and MD5 sums and file size are now logged for the components found.

- Programs now report on exit and log command line parameters.

- Some improvements in error handling and reporting are provided.

Users may send us suspicious samples via the link: https://www.crysys.hu/duqusubmit/

Samples sent anonymously (e.g., via Tor) will be investigated and possibly shared with the A/V industry. Samples with known origin won't be shared without  the permission obtained from the origin.

Users can also use This email address is being protected from spambots. You need JavaScript enabled to view it. to contact us. PGP key can be found in the manual.

Download link:

v1.23  all files (.zip), manual (text) 

CRYSYS DUQU DETECTOR TOOLKIT

We developed a detector toolkit that combines simple detection techniques to find Duqu infections on a computer or in a whole network. The toolkit contains signature and heuristics based methods and it is able to find traces of infections where components of the malware are already removed from the system.

The intention behind the tools is to find different types of anomalies (e.g., suspicious files) and known indicators of the presence of Duqu on the analyzed computer. As other anomaly detection tools, it is possible that it generates false positives. Therefore, professional personnel is needed to elaborate the resulting log files of the tool and decide about further steps.

This toolkit contains very simple, easy-to-analyze program source code, thus it may also be used in special environments, e.g. in critical infrastructures, after inspection of the source code (to check that there is no backdoor or malicious code inside) and recompiling.


 

Download links

Current version, GPLv3 license applies.

v1.24 all files (.zip), manual (text) 

(Previous versions)

v1.23: all files (.zip), manual (text)

v1.02: all files (.zip), manual (text)

v1.01: all files (.zip), manual (text)



Budapest University of Technology and Economics
Department of Networked Systems and Services
CrySyS - Laboratory of Cryptography and Systems Security