Highlighted
jared1
New Member.
376 views

ideas for protecting customers against Duqu (stuxnet 2)

Read these:

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf  (the most detailed yet)

http://www.f-secure.com/weblog/archives/00002255.html

http://www.f-secure.com/v-descs/backdoor_w32_duqu.shtml

After reading through all the initial reports, I've come up with potential use cases for detecting Duqu:

Any modifications to the following files:

jminet7.sys

netp191.pnf

netp192.pnf

cmi4432.sys

cmi4432.pnf

cmi4464.PNF

or ends with .sys (case insensitive)

or ends with .pnf (case insensitive)

Registry modifications to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmi4432

or starts with HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

New  rules should be written to detect outbound (POST) traffic ending with  .jpg.  This would be for 80 and 443, ideally your customer has SSL  decryption.  Also note the user agent strings.  You should already be  monitoring new / malicious user agent strings in and out.

POST / HTTP/1.1
Cookie: PHPSESSID=spwkwq1tnsam0gg6hj0i3jg20h
Cache-Control: no-cache
Pragma: no-cache
Content-Type: multipart/form-data;
boundary=---------------------------b1824763588154

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)

Host: 206.[REMOVED].97
Content-Length: 1802
Connection: Keep-Alive
---------------------------b1824763588154
Content-Disposition: form-data; name=”DSC00001.jpg
Content-Type: image/jpeg
[EMBEDDED JPEG AND STOLEN DATA]

I don't have any quick and dirty ARBs available yet.  Please add feedback as we further understand the behavior of this malware and its variants.

0 Likes
Reply
2 Replies
chenselein1 Absent Member.
Absent Member.

Re: ideas for protecting customers against Duqu (stuxnet 2)

Interesting topic that should be bumped. Currently don'T have the time to work myself through that Symantec Whitepaper, but will try to jump into this discussion asap.

BR,

Christoph

0 Likes
Reply
jared1
New Member.

Re: ideas for protecting customers against Duqu (stuxnet 2)

new article with more information on the jpgs

http://www.f-secure.com/weblog/archives/00002257.html

interesting picture they used - colliding galaxies.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.