W32.Duqu

Forum for analysis and discussion about malware.

W32.Duqu

Postby a_d_13 » Tue Oct 18, 2011 6:13 pm

Hello,

Interesting new research paper from Symantec about Stuxnet look-alike W32.Duqu.

http://www.symantec.com/content/en/us/e ... tuxnet.pdf

Thanks,
--AD
a_d_13
Site Admin
 
Posts: 393
Joined: Sun Mar 07, 2010 3:31 am
Reputation point: 106

Re: W32.Duqu

Postby Striker » Tue Oct 18, 2011 6:21 pm

Anyone got a sample? :>
Я люблю старые времена.

Image
User avatar
Striker
 
Posts: 52
Joined: Thu Mar 10, 2011 2:22 pm
Location: Germany
Reputation point: 11

Re: W32.Duqu

Postby cjbi » Tue Oct 18, 2011 6:34 pm

cjbi
 
Posts: 92
Joined: Sun Mar 14, 2010 7:16 am
Reputation point: 84

Re: W32.Duqu

Postby EP_X0FF » Wed Oct 19, 2011 1:32 am

Two drivers in attach. C-Media Electronics Incorporation certificate is revoked.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: W32.Duqu

Postby shaheen » Wed Oct 19, 2011 5:32 am

Wonder if any one has a dropper for it?
shaheen
 
Posts: 35
Joined: Wed Jun 09, 2010 11:08 pm
Reputation point: 4

Re: W32.Duqu

Postby Blaze » Wed Oct 19, 2011 8:29 am

Dropper attached.
You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: W32.Duqu

Postby frank_boldewin » Wed Oct 19, 2011 10:20 am

i don't have a dropper only several files from an infected box, but i'm not allowed to share currently.

from what i've seen so far it doesn't contain PLC code. it's more a keylogger, but the codebase and several techniques are very similar to stuxnet code.
if you are lucky and get all needed files you have to prepare your box a little to make it working.

cmi4432.sys and jminet7.sys drivers contain the same code. difference is that one is signed and the other one not.

driver installs a loadimage callback and injects 4 payloads into services.exe stored in PNF files.

there is also a fake lsass.exe, which does the keyboard hooking (WH_KEYBOARD hook).
*.pnf files need to be in %systemroot%\inf

if the driver gets loaded it decryts the pnf files from this directory.
if you wanna analyse the drivers with windbg you first have to bypass the
KDDEBUGGERENABLED check at the beginning of the code.

in order to work properly the drivers need the registry entry:

"FILTER"=hex:a0,35,58,da,32,ee,d5,01,c0,15,8b,1f,4b,5c,d1,a1,0b,8b,e7,85,1c,7f,\
6e,f2,ef,31,6a,18,3c,80,78,c7,d4,c5,50,90,7a,78,66,9d,6b,93,00,a1,f5,3d,26,\
ce,cb,1c,1e,45,b0,ff,a0,dd,c0,a3,e8,58,31,0c,b2,a1,dd,11,37,ba,aa,1e,66,d3,\
1f,b4,2f,e1,7c,eb,b6,a2,58,a0,25,62,77,b5,4c,d3,79,02,07,be,8f,bb,57,43,7c,\
43,b5,d0,67,25,19,10,27,67,a5,15,38,9f,43

all other parameters are straight forward.

the FILTER registry string decrypts to some unicode string information:

services.exe
\SystemRoot\inf\cmi4432.PNF

the pnf files decrypts payload injected into services.exe

md5sums of files i got are:

0a566b1616c8afeef214372b1a0580c7
4541e850a228eb69fd0f0e924624b245
e8d6b4dadb96ddb58775e6c85b10b6cc
0eecd17c6c215b358b7b872b74bfd800
9749d38ae9b9ddd81b50aad679ee87ec
b4ac366e24204d821376653279cbad86
94c4ef91dfcd0c53a96fdc387f9f9c35
User avatar
frank_boldewin
 
Posts: 115
Joined: Thu Apr 22, 2010 8:59 am
Location: germany
Reputation point: 89

Re: W32.Duqu

Postby EP_X0FF » Thu Oct 20, 2011 1:01 pm

Blaze wrote:Dropper attached.


This isn't a dropper. This is another recompiled driver.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: W32.Duqu

Postby rkhunter » Thu Oct 20, 2011 2:34 pm

EP_X0FF wrote:
Blaze wrote:Dropper attached.


This isn't a dropper. This is another recompiled driver.

According to the imports, it is focused on the injection in processes. KdDebuggerEnabled checking also present.
User avatar
rkhunter
 
Posts: 1145
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: W32.Duqu

Postby CloneRanger » Fri Oct 21, 2011 12:29 am

If someone supplies me with the Full install, i'll test it against my Security software ;) And post the results :)

TIA
Malware = If your names not down, you're Not coming in !
User avatar
CloneRanger
 
Posts: 124
Joined: Sat Aug 14, 2010 11:54 pm
Reputation point: 14

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 7 guests