Open-source toolkit tracks down Duqu infections

A componet of the toolkit can also give an administrator insight into what data was stolen

The lab credited with discovering the Duqu malware has built an open-source toolkit that administrators can use to see whether their networks are infected.

The Duqu Detector Toolkit v1.01 looks for suspicious files left by Duqu, which has created a buzz in the security community given its stealthy nature and some characteristics it shares with another famous piece of malicious software, Stuxnet.

The Laboratory of Cryptography and System Security (CrySys), part of Budapest University of Technology and Economics based in Hungary, wrote in its release notes that the toolkit, which is composed of four components, looks for strange files that mark an infection.

CrySys said that the toolkit should detect a real active Duqu infection, but it is possible to get a false positive, so it cautioned that administrators will need to analyze the results.

Forensic stand-alone tools such as the one CrySys developed are important since it will give Duqu victims a better image of how they were attacked, said Costin Raiu, director of the global research and analysis team for Kaspersky Lab. Antivirus software does not give the same insight and focuses on instead on detecting and blocking an attack.

"The toolkit released by CrySys Lab is top class," Raiu said. "Of course, all of this can be done 'manually,' but these tools make it much easier to spot anomalies in Duqu-infected computers."

The toolkit also has a component that could let victims figure out what data Duqu has stolen. Costin said stolen data is stored in files ending in "DQ" -- hence the malware's name -- and in "DF."

"I'm sure that any victim wants to know what was stolen from them," Raiu said.

At least one other company has released a detection tool for detecting Duqu. NSS Labs' tool is a script looks for certain strings within drivers employed by Duqu.

Microsoft is in the process of creating a patch for the software vulnerability used by Duqu to infect computers. CrySys is also credited with discovering that Duqu used a previously unknown Windows vulnerability to infect computers after examining an installer file.

A Duqu infection could occur if a person was tricked into opening a malicious Microsoft Word document sent by e-mail to a victim. The vulnerability is in Windows' Win32k TrueType font parsing engine. Microsoft has published a tool to temporarily block attacks until the patch is ready.

Send news tips and comments to

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityLaboratory of Cryptography and System Security

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments



Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?