The mystery of the Duqu framework

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

The mystery of the Duqu framework
The mystery of the Duqu framework.png
Botnet Duqu
Malware Duqu_(bot)
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / March 07 2012
Editor/Conference Kaspersky lab
Link http://www.securelist.com/en/blog/667/The Mystery of the Duqu Framework (Archive copy)
Author Igor Soumenkov
Type

Abstract

While analyzing the components of Duqu, we discovered an interesting anomaly in the main component that is responsible for its business logics, the Payload DLL. We would like to share our findings and ask for help identifying the code.

Code layout

At first glance, the Payload DLL looks like a regular Windows PE DLL file compiled with Microsoft Visual Studio 2008 (linker version 9.0). The entry point code is absolutely standard, and there is one function exported by ordinal number 1 that also looks like MSVC++. This function is called from the PNF DLL and it is actually the “main” function that implements all the logics of contacting C&C servers, receiving additional payload modules and executing them. The most interesting is how this logic was programmed and what tools were used.

The code section of the Payload DLL is common for a binary that was made from several pieces of code. It consists of “slices” of code that may have been initially compiled in separate object files before they were linked in a single DLL. Most of them can be found in any C++ program, like the Standard Template Library (STL) functions, run-time library functions and user-written code, except the biggest slice that contains most of C&C interaction code.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR922,
   editor = {Kaspersky lab},
   author = {Igor Soumenkov},
   title = {The mystery of the Duqu framework},
   date = {07},
   month = Mar,
   year = {2012},
   howpublished = {\url{http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework}},
 }

Retrieved from "https://www.botnets.fr/index.php?title=The_mystery_of_the_Duqu_framework&oldid=3392"