[gjf]

Iran Government informs they found a way to control Duqu malware (sorry, in Russian only)

[Striker]

Iran Government informs they found a way to control Duqu malware (sorry, in Russian only)

English:

/ / CyberSecurity.ru / / - The Iranian authorities on Sunday said they found a way to control malware Duqu, similar to the attacker in 2010, nuclear power plants in Iran worm Stuxnet. Then Stuxnet infected in Iran for more than 30 000 computers. According to Brigadier General of the Civil Defence Iran Gholamreza Jalali, an Iranian software to remove Duqu already been distributed to government agencies and companies in the country.

"The process of destruction of malicious code has started and the organization suffered from Duqu, now in control. Division cyber-security work around the clock to combat these malicious software c", - he said.

Earlier, the foci of infection were detected Duqu in a dozen countries, including Iran, France, UK, India, USA and others. The first large-scale campaigns to disseminate Duqu recorded about three weeks ago. Antivirus companies say they have not yet created a free utility to remove Duqu, because this year is too complicated and frequently updated. Like Stuxnet, Duqu focuses on the effects of industrial control systems.

Previously, a number of Western media wrote that the creation of Stuxnet are Israeli and American intelligence services. Authors Duqu to date have not been identified unambiguously.

[gjf]

The Duqu Saga Continues: Enter Mr. B. Jason and TV’s Dexter

[mfox]

anyone got the 'installer dll' ?
according to symantec and Kaspersky labs analysis, the mal document (Dropper) loads a DLL, which they've called 'Installer', it drops driver and main dll, and creates the registry keys.

could anyone share it ? that'd be great for dynamic analysis.

[__Genius__]

I think, the installer is not available in public yet, it's better to contact Symantec security response at this point .

[ssj100]

http://www.securelist.com/en/blog/20819 ... TVs_Dexter

Would any (third-party) security mechanism block this?

[EP_X0FF]

http://www.securelist.com/en/blog/20819 ... TVs_Dexter

Would any (third-party) security mechanism block this?

Deny access to T2EMBED.DLL

http://technet.microsoft.com/en-us/secu ... ry/2639658

See Suggested Actions, Workarounds.

Duqu is a directed attack not targeting everything, exploit is not available on public and dropper is under NDA. There is no need to panic.

[ssj100]

http://www.securelist.com/en/blog/20819 ... TVs_Dexter

Would any (third-party) security mechanism block this?

Deny access to T2EMBED.DLL

http://technet.microsoft.com/en-us/secu ... ry/2639658

See Suggested Actions, Workarounds.

Duqu is a directed attack not targeting everything, exploit is not available on public and dropper is under NDA. There is no need to panic.

I already knew about denying access to T2EMBED.DLL. However, I was wondering if there was any (third-party) security mechanism/program that would always block zero-day threats like this. Hence the reason why I posted the link describing the mechanism of infection.

[EP_X0FF]

However, I was wondering if there was any (third-party) security mechanism/program that would always block zero-day threats like this.

This is impossible. Even if someone is claiming that it will prevent/block any zero-day it's just a statement of fraud.

[ssj100]

However, I was wondering if there was any (third-party) security mechanism/program that would always block zero-day threats like this.

This is impossible. Even if someone is claiming that it will prevent/block any zero-day it's just a statement of fraud.

Surely you mean zero-day kernel exploit?