Difference between revisions of "The mystery of Duqu: part one"
Jump to navigation
Jump to search
m (Remplacement de texte — « |Editor=Kaspersky lab Lab » par « |Editor=Kaspersky lab ») |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{Publication | {{Publication | ||
| | |Botnet=Duqu, Stuxnet, | ||
| | |Malware=Duqu (bot), | ||
| | |CCProtocol=, | ||
| | |Operation=, | ||
| | |Year=2011 | ||
|Date=2011-10-20 | |||
|Editor=Kaspersky lab | |||
|Link=http://www.securelist.com/en/blog/208193182/The_Mystery_of_Duqu_Part_One | |Link=http://www.securelist.com/en/blog/208193182/The_Mystery_of_Duqu_Part_One | ||
|Author=Alexander Gostev, | |Author=Alexander Gostev, | ||
|Abstract=First of all, we feel it necessary to clarify some of the confusion surrounding the files and their names related to this incident. To get a full understanding of the situation you only need to know that we’re talking about just two malicious programs here (at a minimum) - the main module and a keylogger. All that has been mentioned in last 24 hours about connections between Duqu and Stuxnet is related mostly to the first one - the main module.<br> | |Abstract=First of all, we feel it necessary to clarify some of the confusion surrounding the files and their names related to this incident. To get a full understanding of the situation you only need to know that we’re talking about just two malicious programs here (at a minimum) - the main module and a keylogger. All that has been mentioned in last 24 hours about connections between Duqu and Stuxnet is related mostly to the first one - the main module.<br> | ||
| Line 21: | Line 17: | ||
The module is very similar to Stuxnet - both in structure and in behavior. However, the name Duqu has almost no connection with it. This name is based on the names of the files that are related to a completely different malicious spy-program! | The module is very similar to Stuxnet - both in structure and in behavior. However, the name Duqu has almost no connection with it. This name is based on the names of the files that are related to a completely different malicious spy-program! | ||
| | |Document= | ||
| | |Licence= | ||
| | |Video= | ||
| | |NomRevue=Securelist | ||
|Keyword=Rootkits, Targeted Attacks, Keyloggers, Industrial control systems, Certificate authorities, | |ISBN= | ||
|Page= | |||
|Keyword=Rootkits, Targeted Attacks, Keyloggers, Industrial control systems, Certificate authorities, | |||
}} | }} | ||
Latest revision as of 05:04, 19 August 2015
(Publication) Google search: [1]
| The mystery of Duqu: part one | |
|---|---|
| Botnet | Duqu, Stuxnet |
| Malware | Duqu (bot) |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2011 / 2011-10-20 |
| Editor/Conference | Kaspersky lab |
| Link | http://www.securelist.com/en/blog/208193182/The Mystery of Duqu Part One (Archive copy) |
| Author | Alexander Gostev |
| Type | |
Abstract
“ First of all, we feel it necessary to clarify some of the confusion surrounding the files and their names related to this incident. To get a full understanding of the situation you only need to know that we’re talking about just two malicious programs here (at a minimum) - the main module and a keylogger. All that has been mentioned in last 24 hours about connections between Duqu and Stuxnet is related mostly to the first one - the main module.
The main module consists of three components:
- a driver that injects a DLL into system processes;
- a DLL that has an additional module and works with the C&C; and
- a configuration file.
The module is very similar to Stuxnet - both in structure and in behavior. However, the name Duqu has almost no connection with it. This name is based on the names of the files that are related to a completely different malicious spy-program!
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR930,
editor = {Kaspersky lab},
author = {Alexander Gostev},
title = {The mystery of Duqu: part one},
date = {20},
month = Oct,
year = {2011},
howpublished = {\url{http://www.securelist.com/en/blog/208193182/The_Mystery_of_Duqu_Part_One}},
}