A forum for reverse engineering, OS internals and malware analysis 

W32.Duqu

Forum for analysis and discussion about malware.

Re: W32.Duqu

 #9530  by frank_boldewin
 Fri Nov 04, 2011 10:50 am
Edi wrote:Isn't the dropper MD5 b4ac366e24204d821376653279cbad8 (232448 bytes)? I just can't find out whats the encryption routine. Anyone know?
this is not the dropper, just a pnf file, where file are being stored in crypted format.

the dropper, is stored in a word doc. currently only very few people have this dropper and this won't change until microsoft has released an official patch. and even then i doubt it will be released to the public, because it would reveal the company that was targeted by this attack.

Re: W32.Duqu

 #9531  by EP_X0FF
 Fri Nov 04, 2011 11:07 am
Edi wrote:Isn't the dropper
It is under NDA.

However 0day exploit all interested can (and will) be recovered by reverse-engineering patch that will be released.

Re: W32.Duqu

 #9532  by Edi
 Fri Nov 04, 2011 12:09 pm
frank_boldewin wrote:
Edi wrote:Isn't the dropper MD5 b4ac366e24204d821376653279cbad8 (232448 bytes)? I just can't find out whats the encryption routine. Anyone know?
this is not the dropper, just a pnf file, where file are being stored in crypted format.

the dropper, is stored in a word doc. currently only very few people have this dropper and this won't change until microsoft has released an official patch. and even then i doubt it will be released to the public, because it would reveal the company that was targeted by this attack.
In the Symantec Paper it says: "b4ac366e24204d821376653279cbad86 11/4/2010 16:48 - netp191.pnf Encrypted DLL loaded by jminet7.sys"

Btw, I forgot the "6" in the MD5 Sum :oops:

Re: W32.Duqu

 #9535  by GhostLight
 Fri Nov 04, 2011 2:01 pm
frank_boldewin wrote:believe me, this is not the dropper.

btw microsoft just released an advisory:

http://technet.microsoft.com/en-us/secu ... ry/2639658

so the bug is triggered while ttf parsing and not directly a vuln in office.
"gjf" pointed earlier in this thread, to this: http://www.securelist.com/en/blog/20819 ... Part_Three

"
Symantec and Microsoft still haven’t made the actual dropper file available to other antivirus companies yet, nor have they provided information about which Windows component contains the vulnerability that results in privilege escalation. However, indirect evidence suggests that the vulnerability is in win32k.sys.
"

Re: W32.Duqu

 #9554  by R136a1
 Sat Nov 05, 2011 10:14 pm
Piece of the puzzle: last years on and off media propaganda of Iranian threat to the world piece
...widely known (if not you got probably brainwashed)

Piece of the puzzle: Stuxnet -> throw back Iranian nuclear program
...widely known

Piece of the puzzle: Duqu aka Stars -> spy on Iranian nuclear program
http://www.securelist.com/en/blog/20819 ... re_in_Iran

Piece of the puzzle: last days emerging media attention of an early attack against Iran
h**p://rt.com/news/bomb-iran-nuclear-sites-473/
h**p://rt.com/news/nuclear-iran-terrorist-usa-627/
h**p://www.bbc.co.uk/news/world-middle-east-15607844
h**p://edition.cnn.com/2011/10/12/justice/iran-saudi-plot/ (bizarre)
...

Lets see where this will end...

Re: W32.Duqu

 #9556  by Meriadoc
 Sun Nov 06, 2011 12:03 am
Resource for Duqu releated : SCADAhacker
 Return to “Malware”