Difference between revisions of "The mystery of Duqu: part five"
Jump to navigation
Jump to search
m (Remplacement de texte — « |Editor=Kaspersky » par « |Editor=Kaspersky lab ») |
m (1 revision imported) |
(No difference)
| |
Revision as of 16:24, 7 February 2015
(Publication) Google search: [1]
| The mystery of Duqu: part five | |
|---|---|
| Botnet | Duqu |
| Malware | Duqu (bot) |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2011 / 2011-11-15 |
| Editor/Conference | Kaspersky lab |
| Link | http://www.securelist.com/en/blog/606/The Mystery of Duqu Part Five www.securelist.com (www.securelist.com Archive copy) |
| Author | Igor Soumenkov |
| Type | |
Abstract
“ The driver is the first component of Duqu to be loaded in the system. As we discovered, the driver and other components of malware are installed with a dropper exploiting a 0-day vulnerability (CVE-2011-3402). The driver is registered in the HKLM\System\CurrentControlSet\Services\ registry path. The exact name of the registry key varies in different versions of Duqu drivers.
Once the driver is loaded, it decrypts a small block that contains its registry key and the name of the registry value to be read from that key. It also contains the name of the driver object to create
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR972,
editor = {Kaspersky lab},
author = {Igor Soumenkov},
title = {The mystery of Duqu: part five},
date = {15},
month = Nov,
year = {2011},
howpublished = {\url{http://www.securelist.com/en/blog/606/The_Mystery_of_Duqu_Part_Five www.securelist.com}},
}