Analysis and Diversion of Duqu's Driver

Guillaume Bonfante 1 Jean-Yves Marion 1 Fabrice Sabatier 1 Aurélien Thierry 1
1 CARTE - Theoretical adverse computations, and safety
Inria Nancy - Grand Est, LORIA - FM - Department of Formal Methods
Abstract : The propagation techniques and the payload of Duqu have been closely studied over the past year and it has been said that Duqu shared functionalities with Stuxnet. We focused on the driver used by Duqu during the infection, our contribution consists in reverse-engineering the driver: we rebuilt its source code and analyzed the mechanisms it uses to execute the payload while avoiding detection. Then we diverted the driver into a defensive version capable of detecting injections in Windows binaries, thus preventing further attacks. We specifically show how Duqu's modified driver would have detected Duqu.
Type de document :
Communication dans un congrès
Malware 2013 - 8th International Conference on Malicious and Unwanted Software, Oct 2013, Fajardo, Puerto Rico. IEEE, 2013
Liste complète des métadonnées

Littérature citée [4 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-00925517
Contributeur : Aurélien Thierry <>
Soumis le : mercredi 8 janvier 2014 - 10:56:48
Dernière modification le : jeudi 11 janvier 2018 - 06:21:25
Document(s) archivé(s) le : mardi 8 avril 2014 - 22:31:36

Fichiers

malware2013.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

  • HAL Id : hal-00925517, version 1
  • ARXIV : 1401.6120

Collections

Citation

Guillaume Bonfante, Jean-Yves Marion, Fabrice Sabatier, Aurélien Thierry. Analysis and Diversion of Duqu's Driver. Malware 2013 - 8th International Conference on Malicious and Unwanted Software, Oct 2013, Fajardo, Puerto Rico. IEEE, 2013. 〈hal-00925517〉

Partager

Métriques

Consultations de la notice

486

Téléchargements de fichiers

396