ideas for protecting customers against Duqu (stuxnet 2)
After reading through all the initial reports, I've come up with potential use cases for detecting Duqu:
Any modifications to the following files:
or ends with .sys (case insensitive)
or ends with .pnf (case insensitive)
Registry modifications to:
or starts with HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
New rules should be written to detect outbound (POST) traffic ending with .jpg. This would be for 80 and 443, ideally your customer has SSL decryption. Also note the user agent strings. You should already be monitoring new / malicious user agent strings in and out.
POST / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:126.96.36.199) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)
Content-Disposition: form-data; name=”DSC00001.jpg”
[EMBEDDED JPEG AND STOLEN DATA]
I don't have any quick and dirty ARBs available yet. Please add feedback as we further understand the behavior of this malware and its variants.
Re: ideas for protecting customers against Duqu (stuxnet 2)
Interesting topic that should be bumped. Currently don'T have the time to work myself through that Symantec Whitepaper, but will try to jump into this discussion asap.