The mystery of Duqu: part one
(Publication) Google search: [1]
| The mystery of Duqu: part one | |
|---|---|
| Botnet | Duqu, Stuxnet |
| Malware | Duqu (bot) |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2011 / 2011-10-20 |
| Editor/Conference | Kaspersky lab |
| Link | http://www.securelist.com/en/blog/208193182/The Mystery of Duqu Part One (Archive copy) |
| Author | Alexander Gostev |
| Type | |
Abstract
“ First of all, we feel it necessary to clarify some of the confusion surrounding the files and their names related to this incident. To get a full understanding of the situation you only need to know that we’re talking about just two malicious programs here (at a minimum) - the main module and a keylogger. All that has been mentioned in last 24 hours about connections between Duqu and Stuxnet is related mostly to the first one - the main module.
The main module consists of three components:
- a driver that injects a DLL into system processes;
- a DLL that has an additional module and works with the C&C; and
- a configuration file.
The module is very similar to Stuxnet - both in structure and in behavior. However, the name Duqu has almost no connection with it. This name is based on the names of the files that are related to a completely different malicious spy-program!
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR930,
editor = {Kaspersky lab},
author = {Alexander Gostev},
title = {The mystery of Duqu: part one},
date = {20},
month = Oct,
year = {2011},
howpublished = {\url{http://www.securelist.com/en/blog/208193182/The_Mystery_of_Duqu_Part_One}},
}