Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43438
  • Total Topics: 16532
  • Online today: 3056
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 3
Guests: 2937
Total: 2940









Post reply

Name:
Email:
Subject:
Message icon:

Verification:
Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

shortcuts: hit alt+s to submit/post or alt+p to preview


Topic Summary

Posted by: Pez
« on: 02. November 2011., 10:06:55 »

We discussed much of the unfolding Duqu attack in our previous post. Some new light has recently illuminated some missing pieces to this interesting attack.
 
Researchers at CrySys Labs in Hungary have disclosed information about a Word document that is purported to be the installer file for the Duqu attacks. The document loads a kernel driver after exploitation from a possible new zero-day vulnerability, which then loads a DLL into Services.exe to start the Duqu installation. This driver appears to have been compiled on Thu Feb 21 06:14:47 2008, according to the time stamp in its PE header. The driver is not signed, as it is loaded via the zero-day exploit that results in kernel memory access.

We have already seen several indications that this threat was related to Stuxnet in some form. When comparing the code of the first Duqu samples we received with older Stuxnet variants, we noticed several similarities, and even exact matches for some important functions such as the DLL-injection routine, decryption of strings and external modules, and management of tables for indirect API calls, among others. Due to the 2008 timeframe for the driver code in question, we have yet another clue, beside the zero-day exploit, that this code is likely based on the same base as Stuxnet, which reused old driver code in several cases while creating new exploits.
 
Detection has been added for these new malware to our existing Duqu coverage: PWS-Duqu, PWS-Duqu!rootkit, and PWS-Duqu!dat.
 
More to come as this tale unfolds!

Orginal Article: Tuesday, November 1, 2011 at 1:58pm by Peter Szor and Guilherme Venere
http://blogs.mcafee.com/mcafee-labs/of-kernel-vulnerabilities-and-zero-dayz-a-duqu-update

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023