DocumentCode
669130
Title
Analysis and diversion of Duqu´s driver
Author
Bonfante, Guillaume ; Marion, Jean-Yves ; Sabatier, Fabrice ; Thierry, Aurelien
Author_Institution
Univ. de Lorraine, Loria, France
fYear
2013
fDate
22-24 Oct. 2013
Firstpage
109
Lastpage
115
Abstract
The propagation techniques and the payload of Duqu have been closely studied over the past year and it has been said that Duqu shared functionalities with Stuxnet. We focused on the driver used by Duqu during the infection, our contribution consists in reverse-engineering the driver: we rebuilt its source code and analyzed the mechanisms it uses to execute the payload while avoiding detection. Then we diverted the driver into a defensive version capable of detecting injections in Windows binaries, thus preventing further attacks. We specifically show how Duqu´s modified driver would have detected Duqu.
Keywords
device drivers; invasive software; operating systems (computers); reverse engineering; source code (software); Duqu driver; Stuxnet; Windows binaries; attack prevention; injection detection; propagation techniques; reverse engineering; source code; Cryptography; Kernel; Malware; Monitoring; Payloads;
fLanguage
English
Publisher
ieee
Conference_Titel
Malicious and Unwanted Software: "The Americas" (MALWARE), 2013 8th International Conference on
Conference_Location
Fajardo, PR
Print_ISBN
978-1-4799-2534-6
Type
conf
DOI
10.1109/MALWARE.2013.6703692
Filename
6703692
Link To Document