We developed a detector toolkit that combines simple detection techniques to find Duqu infections on a computer or in a whole network. The toolkit contains signature and heuristics based methods and it is able to find traces of infections where components of the malware are already removed from the system.
The intention behind the tools is to find different types of anomalies (e.g., suspicious files) and known indicators of the presence of Duqu on the analyzed computer. As other anomaly detection tools, it is possible that it generates false positives. Therefore, professional personnel is needed to elaborate the resulting log files of the tool and decide about further steps.
This toolkit contains very simple, easy-to-analyze program source code, thus it may also be used in special environments, e.g. in critical infrastructures, after inspection of the source code (to check that there is no backdoor or malicious code inside) and recompiling.
Download
Updated version v1.02: GPLv3 license applies.
v1.02 manual (text)
http://www.crysys.hu/duqudetector-fi…nual-v1_02.txt
v1.02 all files (.zip)
http://www.crysys.hu/duqudetector-fi…ctor-v1_02.zip