Targeted attacks


Our Laboratory of Cryptography and System Security (CrySyS Lab) discovered the Duqu malware; pursued the analysis of the Duqu malware and as a result of our investigation, we identified a dropper file with an MS 0-day kernel exploit inside; and finally we released a new open-source toolkit to detect Duqu traces and running Duqu instances.

CrySyS Lab: report / scientific paper / software (Duqu detector) / press coverage
Symantec: report / status update


Our Laboratory of Cryptography and System Security (CrySyS Lab) participated in an international collaboration aiming at the analysis of an as yet unknown malware, which we call sKyWIper. At the same time Kaspersky Lab. analyzed the malware Flame and Iran National CERT (MAHER) the malware Flamer. Later, these malwares turned out to be the same.

CrySyS Lab: report / scientific paper / press coverage
Iranian National CERT (MAHER): news
Kaspersky Lab: report


Our Laboratory of Cryptography and System Security (CrySyS Lab) developed an online Gauss detector service which checks if a client machine has the Palida Narrow font installed.

CrySyS Lab: software (Gauss detector) / software (Gauss info collector) / scientific paper / press coverage
Kaspersky Lab: report


Earlier in February 2013, FireEye announced the discovery of a new malware that exploited a 0-day vulnerability in Adobe Reader. Now, we announce another, as yet unknown malware that exploits the same Adobe Reader vulnerability (CVE-2013-0640).

Kaspersky Lab and CrySyS Lab carried out the first analysis of this new targeted malware attack in a joint effort and named the malware Miniduke. A detailed report on the results of our joint investigation has been published by Kaspersky Labs showing the malware's operation, C&C infrastructure and communications. CrySyS Lab published a report that contains information on the indicators of Miniduke infections and gives specific hints on its detection.

CrySyS Lab: blog entry / report (on indicators of compromise and detection) / press coverage
Kaspersky Lab: blog entry and report


The CrySyS Lab, Budapest has been notified by the Hungarian National Security Authority ( about the detection of an ongoing high profile targeted attack affecting our home country, Hungary. During our investigation of the incident, we discovered a number of C&C servers, and a large number of malware samples that have been used in multiple attacks campaigns in the last couple of years. As part of the attackers’ activities is based on misusing the TeamViewer remote access tool, we named the entire malicious toolkit TeamSpy.

CrySyS Lab: blog entry / report / press coverage
Kaspersky Lab: blog entry / report
Symantec: blog

Budapest University of Technology and Economics
Department of Networked Systems and Services
CrySyS - Laboratory of Cryptography and Systems Security