The mystery of Duqu: part five
Jump to navigation
Jump to search
(Publication) Google search: [1]
| The mystery of Duqu: part five | |
|---|---|
| Botnet | Duqu |
| Malware | Duqu (bot) |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2011 / 2011-11-15 |
| Editor/Conference | Kaspersky lab |
| Link | http://www.securelist.com/en/blog/606/The Mystery of Duqu Part Five (Archive copy) |
| Author | Igor Soumenkov |
| Type | |
Abstract
“ The driver is the first component of Duqu to be loaded in the system. As we discovered, the driver and other components of malware are installed with a dropper exploiting a 0-day vulnerability (CVE-2011-3402). The driver is registered in the HKLM\System\CurrentControlSet\Services\ registry path. The exact name of the registry key varies in different versions of Duqu drivers.
Once the driver is loaded, it decrypts a small block that contains its registry key and the name of the registry value to be read from that key. It also contains the name of the driver object to create
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR972,
editor = {Kaspersky lab},
author = {Igor Soumenkov},
title = {The mystery of Duqu: part five},
date = {15},
month = Nov,
year = {2011},
howpublished = {\url{http://www.securelist.com/en/blog/606/The_Mystery_of_Duqu_Part_Five}},
}