• DocumentCode
    669130
  • Title

    Analysis and diversion of Duqu´s driver

  • Author

    Bonfante, Guillaume ; Marion, Jean-Yves ; Sabatier, Fabrice ; Thierry, Aurelien

  • Author_Institution
    Univ. de Lorraine, Loria, France
  • fYear
    2013
  • fDate
    22-24 Oct. 2013
  • Firstpage
    109
  • Lastpage
    115
  • Abstract
    The propagation techniques and the payload of Duqu have been closely studied over the past year and it has been said that Duqu shared functionalities with Stuxnet. We focused on the driver used by Duqu during the infection, our contribution consists in reverse-engineering the driver: we rebuilt its source code and analyzed the mechanisms it uses to execute the payload while avoiding detection. Then we diverted the driver into a defensive version capable of detecting injections in Windows binaries, thus preventing further attacks. We specifically show how Duqu´s modified driver would have detected Duqu.
  • Keywords
    device drivers; invasive software; operating systems (computers); reverse engineering; source code (software); Duqu driver; Stuxnet; Windows binaries; attack prevention; injection detection; propagation techniques; reverse engineering; source code; Cryptography; Kernel; Malware; Monitoring; Payloads;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Malicious and Unwanted Software: "The Americas" (MALWARE), 2013 8th International Conference on
  • Conference_Location
    Fajardo, PR
  • Print_ISBN
    978-1-4799-2534-6
  • Type

    conf

  • DOI
    10.1109/MALWARE.2013.6703692
  • Filename
    6703692
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=669130