A forum for reverse engineering, OS internals and malware analysis 

W32.Duqu

Forum for analysis and discussion about malware.

Re: W32.Duqu

 #10227  by EP_X0FF
 Thu Dec 08, 2011 7:31 am
How do you want to prevent/block if you don't know what is it, how does it work and what it exploits? By denying everything? Becoming a slave of "security" trashware is not the option for everyone.

Re: W32.Duqu

 #10228  by ssj100
 Thu Dec 08, 2011 7:45 am
EP_X0FF wrote:How do you want to prevent/block if you don't know what is it, how does it work and what it exploits? By denying everything? Becoming a slave of "security" trashware is not the option for everyone.
Many zero-day exploits can be easily mitigated by utilising a variety of programs, some of them free. And you don't need to become a slave at all. For example, if this wasn't a kernel-level exploit, opening the document in Sandboxie would probably prevent the exploit.

I've been told that kernel-level exploits can pretty much do what they like, no matter what security is in place. However, I just wanted to check, and since there appears to be a nice description of how exactly this particular kernel zero-day exploit works, I thought someone could share some insight into possible methods to block it. If it's not possible, then that answers the question too.

Re: W32.Duqu

 #10229  by EP_X0FF
 Thu Dec 08, 2011 8:02 am
ssj100 wrote:Many zero-day exploits can be easily mitigated by utilising a variety of programs, some of them free. And you don't need to become a slave at all. For example, if this wasn't a kernel-level exploit, opening the document in Sandboxie would probably prevent the exploit.
Because sandboxie can supervise it at upper level. In case of kernel exploiting I doubt that something like this exists or will be implemented because of overhead. However for example common attack vectors used in kernel mode exploits can be covered by system itself, what was done for example in Windows 8 (e.g. - NULL dereference vulnerabilities class).

Re: W32.Duqu

 #10308  by gjf
 Mon Dec 12, 2011 10:04 am
The Mystery of Duqu: Part Five
IMHO Kaspersky Lab is played out with this case: Gostev stopped publishing his "interesting" investigations and some other expert starts his own:
The driver is registered in the HKLM\System\CurrentControlSet\Services\ registry path. The exact name of the registry key varies in different versions of Duqu drivers.
WOW! Quite smart! :lol:

Re: W32.Duqu

 #11040  by crazyeddie
 Sun Jan 15, 2012 11:13 am
Did anyone happen to get the python script before eset shut down the git site?

http://www.itsecuresite.com/seclabs/ese ... -date.html

Files of interest:

- python script for decrypting duqu configs
- decrypted duqu configs, as referenced in a blog:

https://github.com/eset/Duqu/blob/maste ... fg_decr.py
https://github.com/eset/Duqu/tree/master/config_decr

I hope someone did. A exhaustive interest search did not bring up nothing.

CE
 Return to “Malware”