Hungarian researchers responsible for detecting the Duqu trojan have released an open source detector toolkit to assist in finding traces of the trojan on a computer or in a whole network.
Duqu Detector Toolkit v1.01, released by the Laboratory of Cryptography and System Security (CrySyS) in Budapest, contains signature- and heuristics-based methods capable of discovering traces of infections where pieces of the malware have already been removed from the system.
CrySyS researchers say the kit contains simple, easy-to-analyze source code that looks for anomalies -- such as suspicious files -- and known indicators of the presence of Duqu on analysed computers.
However, the researchers warn that professional personnel are needed to analyse the log files to weed out false positives.
Critical infrastructures can also be examined using the toolkit -- an important strategy as Duqu bears a striking resemblance to the Stuxnet worm that crippled Iranian nuclear facilities last year.
Symantec researchers examined two variants of Duqu. Once on a machine, the strains download a remote access tool, which allows the malware to take control of the computer and begin communication with a command-and-control hub.
In the case of one of the variants studied, it installed an "Infostealer" trojan, designed to record keystrokes and map networks.
The exploit code, according to McAfee researchers Guilherme Venere and Peter Szor, mimics Stuxnet in its encryption keys and drivers. Like Stuxnet, the threat uses a driver file signed with a legitimate digital certificate, in this case issued by Taiwan-based C-Media Electronics, according to F-Secure.
In its analysis of Duqu, CrySyS detected a dropper file with an MS 0-day kernel exploit inside. A computer could be infected with Duqu if a person was duped into opening a Microsoft Word document tainted with the worm sent via email.
The flaw is in Windows' Win32k TrueType font parsing engine. Earlier this month, Microsoft ssued a temporary fix for a vulnerability in the Windows kernel used to spread Duqu but has not issued a permanent fix for the flaw.