Analysis and Diversion of Duqu's Driver
This work addresses malware detection for cybersecurity practitioners by repurposing an existing threat into a defensive tool, though it is incremental as it builds on known malware analysis.
The researchers reverse-engineered the driver used by the Duqu malware to understand its infection and evasion mechanisms, then repurposed it into a defensive tool that detects injections in Windows binaries, demonstrating it could have detected Duqu itself.
The propagation techniques and the payload of Duqu have been closely studied over the past year and it has been said that Duqu shared functionalities with Stuxnet. We focused on the driver used by Duqu during the infection, our contribution consists in reverse-engineering the driver: we rebuilt its source code and analyzed the mechanisms it uses to execute the payload while avoiding detection. Then we diverted the driver into a defensive version capable of detecting injections in Windows binaries, thus preventing further attacks. We specifically show how Duqu's modified driver would have detected Duqu.