Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Open Source Tool Scans For Duqu Drivers

timothy posted more than 2 years ago | from the my-system-is-duqu-free dept.

Security 64

wiredmikey writes "A new open source scanning tool has been released by engineers at independent security testing firm NSS Labs that can be used to detect Duqu drivers installed on a system. The tool was developed with the goal of discovering any additional drivers, and to enable researchers to learn more about the functionality, capabilities and ultimate purpose of the Duqu malware."

cancel ×

64 comments

Sorry! There are no comments related to the filter you selected.

why? (-1)

Anonymous Coward | more than 2 years ago | (#37963936)

why? you are using windows...

Re:why? (-1)

Anonymous Coward | more than 2 years ago | (#37964042)

Stupidity. We run our company off of GNU/Linux!!!! If we can do it so can others.... Failure is a lack of trying. We have zero Microsoft Windows systems. Don't get me wrong. We do interact with Microsoft Windows. We are in the computer business. We just don't sell them. We don't use them. We don't really even support them. We only "fix" them and about half our customer base has moved to or is in the process of moving (every other customer just about buys a GNU/Linux system from us and LIKES it).

Re:why? (1)

justcauseisjustthat (1150803) | more than 2 years ago | (#37964294)

non-diverse corporate systems are the easiest to attack, right behind Windows

Windows virus detector in python? (4, Informative)

lpt1 (46613) | more than 2 years ago | (#37963940)

I like the effort, and appreciate the tool, but how many windows users have python installed? ;>

Re:Windows virus detector in python? (1)

lennier1 (264730) | more than 2 years ago | (#37963952)

That will probably be addressed at a later point.
Turning Python source into an executable isn't exactly rocket science.

Re:Windows virus detector in python? (0)

Anonymous Coward | more than 2 years ago | (#37964080)

C:\Python32>python.exe DuquDriverPatterns.py
    File "DuquDriverPatterns.py", line 991
        patternsFound = {}
                                            ^
TabError: inconsistent use of tabs and spaces in indentation
is this a correct usage of the program

and does this mean it hasnt dound any instances?

Re:Windows virus detector in python? (0)

Anonymous Coward | more than 2 years ago | (#37964134)

A copy/paste of the source code from teh web page will loose the indentation which is important for python code.
Try downloading the raw [github.com] file.

Re:Windows virus detector in python? (1)

ardeez (1614603) | more than 2 years ago | (#37964138)

Yup, loose indentation is a real problem in Python.

Re:Windows virus detector in python? (1)

jrumney (197329) | more than 2 years ago | (#37965436)

Yup, loose indentation is a real problem of Python.

FTFY

Re:Windows virus detector in python? (0)

Anonymous Coward | more than 2 years ago | (#37966646)

Obligatory:

Yup, loose indentation is a real problem of sloppy programmers.

FTFY

Re:Windows virus detector in python? (1)

Anonymous Coward | more than 2 years ago | (#37968174)

Indentation should not be a requirement of a programming language. It should be there only for readability purposes. So yes this is a failure of python.

Re:Windows virus detector in python? (1)

kiddygrinder (605598) | more than 2 years ago | (#38045882)

should? nice argument.

Re:Windows virus detector in python? (0)

Anonymous Coward | more than 2 years ago | (#37964184)

well d'uh!
i did d/w the RAW file, executed and it resultet in the same error message.

Also i tried to make an .exe from this but py2exe only works with lower ver of python
i wanted to upload it to rapidshare for n00b users like me - click and run.
i found another way to freze scripts - cx_freeze but i am giving up
please someone who is more tech savve compile this into a standalone binary
and provide it for the n00bsters. k0xbai

Re:Windows virus detector in python? (0)

Anonymous Coward | more than 2 years ago | (#37964256)

the for indent in is space-based, the rest are tabs; you need to change them to be the same. Also, if you've using python 3.x remember to change
print stuff
to
print(stuff)

Re:Windows virus detector in python? (0)

Anonymous Coward | more than 2 years ago | (#37964094)

Have you seen the script? It's piss easy, in fact I might rewrite it in C++ right now...

Then one has to ask why they didn't address it (1)

Sycraft-fu (314770) | more than 2 years ago | (#37964218)

The GP is correct: Python is not common on Windows systems, particularly desktops. Means most users can't grab the tool and use it, which is really what you want. The more steps required for a tool to be used, the less likely people are to use it.

Re:Then one has to ask why they didn't address it (0)

Anonymous Coward | more than 2 years ago | (#37964280)

one word: py2exe

Re:Then one has to ask why they didn't address it (1)

lennier1 (264730) | more than 2 years ago | (#37965080)

Exactly!

Weren't there plans for the gpodder client to switch to this one as well (instead of creating the package manually)?

Re:Windows virus detector in python? (0)

r00t (33219) | more than 2 years ago | (#37964276)

I like the effort, and appreciate the tool

You'd rather these adversaries fight with regular weapons???? (rifles, air dropped bombs, car bombs, silenced pistols, choke cords, polonium tea, cruise missiles, tanks, nuclear devices...)

I don't like the effort, and I don't appreciate the tool. I'm sure Mohamed Saher would like us to help out with his tool, but no thanks. Some countries sorely need to get pwned, and I applaud all efforts to do so.

Re:Windows virus detector in python? (1)

sgt scrub (869860) | more than 2 years ago | (#37964734)

They were even nice enough to import os and use os.path.join so it would be cross platform. These guys know something the rest of us don't?

Re:Windows virus detector in python? (1)

twrake (168507) | more than 2 years ago | (#37965658)

To install python on windows

http://python.org/ftp/python/3.2.2/python-3.2.2.msi [python.org]

My problem is that the .py file seems to be coded as HTML. Perhaps it is just that darn time change...

Re:Windows virus detector in python? (1)

twrake (168507) | more than 2 years ago | (#37965696)

Stupid!I downloaded the page with source code encoded.I need more caffine.

Re:Windows virus detector in python? (0)

Anonymous Coward | more than 2 years ago | (#37965742)

I have the same problem in running the script under windows ... also opening it with the python shell always gives errors
about inconsistent use of tabs and spaces in indentation, does anyone has a clue about this?
Using python 3.2.2 x64 down from this link :

http://www.python.org/ftp/python/3.2.2/python-3.2.2.amd64.msi

Re:Windows virus detector in python? (0)

Anonymous Coward | more than 2 years ago | (#37973760)

just scan from a live linux cd geniuses... the drivers are probably hidden in a running windows system, anyway...

U CAN kill Duqu w/ Recovery Console (0)

Anonymous Coward | more than 2 years ago | (#37977924)

You can use your installation media to clear bootsector malware of any kind!

---

1.) Boot up to RECOVERY CONSOLE (read only environs of the install media, use this)

2.) Use FixMBR to FIRST fix a bootsector

3.) OPTIONAL: IF a bogus rootkit protects that with a driver (ala hello_tt.sys, from "the indestructible rootkit" a month or so ago)? You can use the DISABLE command to stop said "bogus bootsector protector" driver (again, hello_tt.sys in the case above), which upon reboot disables the protective driver from loading and protecting its bogus bootsector!

---

The KNOWN drivers to disable, are as follows:

cmi4432.sys, jminet7.sys, nfrd965.sys, & adpu321.sys 4 drivers & NETP191.PNF DLL is the usermode lib to destroy & that's covered below too on its removal a couple ways!

(The files noted are per Symantec's updated research on it here -> http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf [symantec.com] )

(After this "optional step" (optional for rootkits that just use a bogus bootsector that is), because this thing uses drivers, perform step #1 once more, & you SHOULD be ok - this is how you kill these types of rootkits from a read-only inviolate environs, & one that works PRIOR to a rootkit being able to deceive usermode antivirus/antispyware/antimalware tools in general!)

Mind you - This is about a 5 MINUTE FIX too, very fast...

* You do those steps, in THAT exact order, with most ANY rootkit (provided their drivers do NOT protect the reg init. area for drivers (which isn't always the case in rootkits, using drivers for that))?

It's history!

(AND, yes, with tools you already OWN if you're a Windows user!)

NOW - Should the rootkit "haul in" more malware while you're in usermode operations?

Well, 2 ways to kill that too (sometimes, rootkits do that also in usermode):

---

A.) RECOVERY CONSOLE bootup, use the DEL command on the offending malware's files...

OR

B.) ProcessExplorer.exe (to first find the offending exe or, dll/lib even if loaded under another process, infesting/infecting it, to first halt the parent callng process & delete the malware dll/lib on disk being called on).

---

"Here endeth the lesson"...

APK

P.S.=> LINUX IS NOT NEEDED AT ALL TO KILL THIS THING & as long as this thing's drivers DO NOT PROTECT THE REGISTRY INIT./LOAD AREAS FOR THOSE DRIVERS (& as far as I have read about its current design, it does not)? This technique will work to make it "history" ... apk

I'm one who does (with a reason) (0)

Anonymous Coward | more than 2 years ago | (#37976564)

I co-wrote & use a PyThon 2.7x based system for populating a custom HOSTS file from many reputable & reliable sources (around 15 total), & it works non-stop, every 15 minutes here (which the system also removes duplicates/normalizes the data also) doing so... I moved from a system built in Delphi (2002-2010) & before that, from Access (only did part of the FULL job the last 2 did though, 1997-2002).

Why'd I go Python?

Well... because it's pretty much "write once/run anywhere" multi-platform capable, & I tend to stick by 2.7x compatible code (as I heard there's still "1/2 baked-ness" type issues w/ 3.x series still)... & there you are.

* Anyhow/anyways: So - Yes, there ARE Windows users who ave it online, myself being one of them!

APK

P.S.=> Still, I'll give you 1 thing - I'm probably a rarity though, I'll give you that!

...apk

Re:Windows virus detector in python? (0)

Anonymous Coward | more than 2 years ago | (#38071544)

Try IDLE, a python ide avail for windows, free easy to install, comes with various add ons
heres a couple of links

https://secure.wikimedia.org/wikipedia/en/wiki/IDLE_%28Python%29

http://docs.python.org/library/idle.html

http://www.python.org/getit/

Please stop helping Iran and friends (0)

r00t (33219) | more than 2 years ago | (#37964154)

Look, whoever is doing this...

1. is doing good

2. probably will resort to bombs, cruise missiles, and/or sneaky poisoning if this doesn't work

Re:Please stop helping Iran and friends (2)

Mr. Freeman (933986) | more than 2 years ago | (#37964574)

You idiot. This has nothing to do with stuxnet. Yes, it's very similar in how it works, but it serves a completely different purpose. Duqu isn't targeting Iran or any industrial/commercial automation and control systems. I determined this information from 10 seconds of research through wikipedia. Seriously, look stuff up before blindly commenting on it.

Re:Please stop helping Iran and friends (1)

r00t (33219) | more than 2 years ago | (#37965642)

It's thought to be the same team, this time gathering the needed info for stuxnet version 2. Instead of attacking SCADA, Duqu researches SCADA systems. It's getting passwords, certificates, and other goodies needed to make stuxnet version 2 a huge success.

Re:Please stop helping Iran and friends (0)

Anonymous Coward | more than 2 years ago | (#37969284)

> This has nothing to do with stuxnet.

Iran's CERT has just announced that Duqu is an upgraded version of the "Stars" malware they detected this spring. Twitter has since deleted that post for guess what reasons, but Kaspersky Lab's antivirus blog preserved it here:
http://www.securelist.com/en/images/pictures/klblog/208193213.png

We now know that Duqu is a tool, which the axis of New York - Tel-Aviv used to obtain digital documents showing Iran is working on nuclear warhead designs.

The only problem is they are like 25 years late. I mean Mordechai Vanunu, a jewish nuclear technician turned peace activist, who converted to christianity in 1986 and promptly published many documents and photos about the zionist A-bomb manufacturing activity at the Negev Dimona rector. At that time the world couldn't care less, the jews were still a kind of a sacred cow, no matter what nasty they did. This global indifference towards zionist evil led to the first palestinian intifada in 1987.

Yet, times change. Juding from the recent warm welcome the UNESCO's members gave to the palestinians, most of the world now strongly dislikes the zionist idea that jews are somehow "more equal" than other human races. Somehow New York - Tel-Aviv still thinks jews can make hundreds of nuclear warheads and put them on super submarines, gotten from Germany for free, while at the same time telling Iran not to get either of those, but to become a sitting duck?

Hopefully Russia and China will offer security guarantees to Iran to block the possibility of a judeo-american attack on Teheran. Pakistan should also stand up eventually and rely on her nuclear weapons arsenal for weight to frankly tell the axis of New York - Tel-Aviv:
1., Stay away from hurting islamic Iran
2., Stop the drones extrajudically killing muslim people in Afghanistan and Pakistan

Iran is in a difficult position, but already they emerged victorious from the 7-year war against Iraq, where the USA and zionists were financing, while USSR and France were arming the iraqi war effort against the lone and blockaded Iran. Yet, Iran emerged victorious at the price of her one million war dead. Persian people dearly love their motherland and they will give sons' life if that is needed to stop the zionist agressors. They know zionists and their US puppets are looking to occupy a huge judeo-empire from the Nile to the rivers of Tiger and Euphrates, as shown on their 10 agorot coinage. There would be no place for muslim people in that empire of "Greater Zion", therefore Iran is stading up for herself and to prevent the deportation of all palestinians to the barren pampas of Argentine's Tierra Fuego.

The muslim faith full win! Allahu akbar! Ins'Allah!

Re:Please stop helping Iran and friends (2)

Charliemopps (1157495) | more than 2 years ago | (#37965178)

until they decide to use the technology on us. Then it will be bad. At least we don't have to worry about them assassinating a US citizen right?

Re:Please stop helping Iran and friends (0)

Anonymous Coward | more than 2 years ago | (#37965330)

How do you know Duqu was not commissioned by Iran?

Gimp for Windows has Python (1)

Anonymous Coward | more than 2 years ago | (#37964176)

If you have Gimp installed on a windows system, it has a Python executable in its Python directory. Gimp uses Python for its plugins

Re:Gimp for Windows has Python (0)

Anonymous Coward | more than 2 years ago | (#37964548)

Yeah, that really helps, thanks.

Re:Gimp for Windows has Python (1)

Mojo66 (1131579) | more than 2 years ago | (#37964648)

On UNIX, if Python would come bundled with GIMP, it would be installed in /usr/bin and thus available to all applications, whereas on ingenious Windows, the default install location would be somewhere in \Program Files\ where it never gets picked up by anything.

Re:Gimp for Windows has Python (0)

Anonymous Coward | more than 2 years ago | (#37971488)

This is patently untrue, as it depends on how the GIMP was built and installed.

Re:Gimp for Windows has Python (0)

Anonymous Coward | more than 2 years ago | (#37971582)

Don't be too certain about that. I deploy the Esri suite of packages at work, and these tend to install Python for the purpose of writing add-ons. For Esri, you can set the install location for Python via a switch in the installer, and it defaults to c:\pythonMm (with M being major version, and m minor). I assume it'll also add this location to the Path.

Re:Gimp for Windows has Python (-1)

Anonymous Coward | more than 2 years ago | (#37964932)

If you have Windows, there is no way in hell you'd be using a POS like GIMP. Windows has a lot better software available for it.

Re:Gimp for Windows has Python (1)

gd2shoe (747932) | more than 2 years ago | (#37966740)

It doesn't have a whole lot of free (or inexpensive) software more powerful than GIMP. (It does have moderate and very expensive software that is much better than GIMP.) Now the cheep software available does tend to have a much cleaner/easier user interface than GIMP...

Re:Gimp for Windows has Python (0)

Anonymous Coward | more than 2 years ago | (#37967548)

Paint.NET [getpaint.net] is free and Paint Shop Pro X4 is $50. Both are objectively better than GIMP. There are lots of other free and inexpensive raster graphics programs for Windows, as well as the high end stuff like Painter and Photoshop.

Re:Gimp for Windows has Python (1)

gmhowell (26755) | more than 2 years ago | (#37971546)

Even the most computer illiterate person knows how to get a copy of Photoshop and a serial number on their Windows machine. This is not 'Free' as in speech software, but 'Free' as in beer. Which is really all that most people care about.

Ultimate purpose of Duqu (1)

Hank the Lion (47086) | more than 2 years ago | (#37964188)

In Suriname / Dutch slang, "doekoe" (pronounced as "duku") means money.
So, what would be the ultimate purpose of "Duqu"?
To make heaps of money with it!

Re:Ultimate purpose of Duqu (0)

Anonymous Coward | more than 2 years ago | (#37964238)

The obvious purpose is to get python installed on every Windows desktop.

Re:Ultimate purpose of Duqu (1)

Splenetiatist (1903770) | more than 2 years ago | (#37964468)

It was named by researchers after the files it creates , which are prefixed "~DQ".

Re:Ultimate purpose of Duqu (1)

Tomato42 (2416694) | more than 2 years ago | (#37964544)

One doesn't exclude the other. Informative none the less.

Re:Ultimate purpose of Duqu (0)

Anonymous Coward | more than 2 years ago | (#37964942)

A lot more informative than some idiotic, wild guess based on slang. You know, without actually doing any research on where the name actually came from.

Re:Ultimate purpose of Duqu (1)

InlawBiker (1124825) | more than 2 years ago | (#37965236)

Because its professionally written from a Stuxnet base, uses a signed driver, a new 0-day in MS Word, takes screen shots and key logs and also completely removes itself in 30-some days... It's probably a government spy program. My guess.

Re:Ultimate purpose of Duqu (1)

lennier (44736) | more than 2 years ago | (#37968208)

...a new 0-day in MS Word.../quote>

That right there is the main problem here.

Why, ten years after Microsoft announced that they were "focusing on security", is commercial software from any vendor still allowed to be shipped with 0-days embedded? These things can be found with rigorous enough testing (ie, what criminal gangs are able to afford). Why then is it not a criminal offence for a company to sell software without having done this amount of testing? They are aiding and abetting criminal enterprise by allowing these security holes to exist in software they wrote.

This isn't a game any more. It's time to get real about software security on the Internet, or get out of the industry. Stop shipping native code if you can't guarantee that you can write it 100% correctly every time. It doesn't matter how fast your word processor runs if it gets your customers pwned.

Not much of a virus (1)

jamesh (87723) | more than 2 years ago | (#37964382)

Seriously... what sort of a virus/trojan/worm makes its presence known by leaving the driver files around for any old userspace app to peruse???

Every time I come across a virus I am kind of disappointed at how easy they are to detect. They hook this and that, but then go and kill your antivirus software - a dead giveaway. That wouldn't trip up most home users, but then the malware also makes so many TCP connections that internet browsing doesn't work anymore, which means the user either wipes it and reinstalls, or takes it into the shop to get fixed. Actually finding where the thing is hiding is still a bit of a challenge, but the fact that they kill AV tools and pretty much anything from sysinternals, and the egress traffic they generate, is a dead giveaway that something is hiding there.

OTOH... maybe the perfect virus does exist and it's everywhere but nobody knows they have it...

Re:Not much of a virus (1)

da8add1e (1244554) | more than 2 years ago | (#37964436)

yeh it's called windows :P

Re:Not much of a virus (1)

Splenetiatist (1903770) | more than 2 years ago | (#37964492)

Every time I come across a virus I am kind of disappointed at how easy they are to detect.

You're disappointed by badly written viruses?

Re:Not much of a virus (1)

dragonturtle69 (1002892) | more than 2 years ago | (#37969598)

OTOH... maybe the perfect virus does exist and it's everywhere but nobody knows they have it...

It is the process that appears to do nothing that is a real concern.

Re:Not much of a virus (1)

Johann Lau (1040920) | more than 2 years ago | (#37971374)

"Every time I come across a virus I am kind of disappointed at how easy they are to detect"

maybe that's because you only come across those that are detectable by your tools? ^^

Re:Not much of a virus (1)

jamesh (87723) | more than 2 years ago | (#37971586)

"Every time I come across a virus I am kind of disappointed at how easy they are to detect"

maybe that's because you only come across those that are detectable by your tools? ^^

You stopped reading before the last line?

Re:Not much of a virus (1)

Johann Lau (1040920) | more than 2 years ago | (#37972340)

why did that last line not make you realize the pointlessness of your post?

are you "coming across" viruses by any other ways of them killing tools? if not, why would it surprise you that you only come across such blatant viruses? the other way I guess would be a warning from the AV before anything gets executed... does that disappoint you, too? the virus has a choice -- turn off the AV before it gets updated, and risk the user noticing (and do you really think everybody does? oh we all wish they would, but that is hardly the case), or don't turn off the AV, and be more or less SURE to get removed at some point, wether the user has a clue or not, because it happens automatically and/or with big popups.

oh, and sysinternal tools aren't "easy" -- when you take the actual target demographic of most viruses into account. even paying attention to the AV tray icon is too much too ask for some. but dabbling with security tools? yeah, right. so in practice, that is already perfect. where do you think botnets come from? forgotten corporate servers -- or home computers of people who simply have not the faintest idea of what is going on in their machine? maybe I'm a cynic, but I think you need a reality check :P

Re:Not much of a virus (0)

Anonymous Coward | more than 2 years ago | (#38047266)

"Every time I come across a virus I am kind of disappointed at how easy they are to detect"

maybe that's because you only come across those that are detectable by your tools? ^^

Er...That's the point.

Virus scanning tools are not new. The basic principals virus scanners use are reasonably well understood. It's not hard for someone to predict what behavior will wander across a virus scanner's notice.

And yet, it's still the case that the vast majority of viruses in the wild scream "I'm a virus" at the top of their lungs. And get found. And get patched. Sure, you get 2-3 days of press out of it. But it's amazing how many people in possession of a zero-day exploit, the keys to the kingdom, do such a half-ass job cashing in. Most viruses are bad software. And while I'm grateful for being blessed with dumb enemies, it's amazing people still try so many things that they should know won't work.

The day I worry about is the one where we stop having "ZOMG new virus!" e-mails every few weeks. That's when we'll know the virus writers have finally wised up to the point that we're really screwed.

but Microsoft promised (0)

Anonymous Coward | more than 2 years ago | (#37964810)

Didn't Microsoft promise that they were going to run their exploit detection tools on all their software.

What ever came of that ?

space indentation & beauty of python portabili (0)

Anonymous Coward | more than 2 years ago | (#37965086)

File "DuquDriverPatterns.py", line 991
        patternsFound = {}
                                            ^
TabError: inconsistent use of tabs and spaces in indentation

Not working. How can I download the script? (0)

Anonymous Coward | more than 2 years ago | (#37965294)

download 1
Win XP, Python 3.2.2, script downloaded by 'save as' clicked on file name. Result - parts html of website included in PY file.

c:\Program Files\python32>python.exe DuquDriverPatterns.py
    File "DuquDriverPatterns.py", line 4
       
        ^
SyntaxError: invalid syntax

==-=-=-=
download 2
Script copied

c:\Program Files\python32>python.exe du.py
    File "du.py", line 991
        patternsFound = {}
        ^
IndentationError: expected an indented block

=-=--=-=
download 3
ahhh i found it, download and zipped version!! AND FAIL AGAIN?

c:\Program Files\python32>python.exe DuquDriverPatterns.py
    File "DuquDriverPatterns.py", line 991
        patternsFound = {}
                                            ^
TabError: inconsistent use of tabs and spaces in indentation

-=-=-=-=-=-=-

SIMPLE QUESTION. HOW CAN I DOWNLOAD AND EXECUTE THIS FILE WITHOUT ERRORS????

Re:Not working. How can I download the script? (1)

Almost-Retired (637760) | more than 2 years ago | (#37966276)

I did the copy/paste myself, from that web page and it sucks to have to fix all the gawddamned tabs the html engine or the copy paste inserts needlessly. Where the hell is the download button?

But I did it, good enough that it runs, but its done instantly, so I guess I try my hand at editing a real python file to put in some prints and see what is null, it pays no attention to what would be argc[2].
If anyone has a clue what this line is supposed to do on a linux box, speak up, python total new bee here.

  rootdir = sys.argv[1]

If its supposed to take a cli argument, how is it passed to a python script?

Cheers, Gene

Re:Not working. How can I download the script? (1)

Bodhammer (559311) | more than 2 years ago | (#37967196)

python.exe DuquDriverPatterns.py c:

Re:Not working. How can I download the script? (1)

Almost-Retired (637760) | more than 2 years ago | (#37969428)

That is obviously for winderz, this is linux. I finally hardcoded the script for /, but that is too wide a brush and eventually reset the system, probably out of ram, only 4Gb in this box.

Thanks & Cheers, Gene

CrySyS duqu detector toolkit (1)

boldi (100534) | more than 2 years ago | (#37999362)

CrySys Lab released a new open-source toolkit to detect duqu traces (possibly some file left after duqu uninstalled itself after 30-36 days) and running Duqu instances.
  http://www.crysys.hu/duqudetector/
Our tool combines heurestic and signature based approach, e.g. it calculates entropy for .PNF files and reports those suspiciously random ones.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>