Cybersecurity: An Essential Guide to Computer and Cyber Security for Beginners, Including Ethical Hacking, Risk Assessment, Social Engineering, Attack and Defense Strategies, and Cyberwarfare by Lester Evans

Author:Lester Evans [Evans, Lester]
Language: eng
Format: azw3
Published: 2018-12-06T16:00:00+00:00

Duqu

Also known as “son of Stuxnet”, Duqu is a 2011 trojan likely made by the same authors as it used similar code and also attacked Iran. Though researchers seem quite confident that's the case[34], do keep in mind that misdirection is a big part of cyber-warfare, and it's just as likely someone falsified data breadcrumbs to stoke antagonism between Israel, the US, and Iran. Remember what we said in the introduction of this book – be thoroughly paranoid when dealing with cybersecurity. In some sense, reality is much weirder than any kind of fiction, and we can't ever be completely certain who's telling the truth. Anyway, Duqu was not as discriminating as Stuxnet and could implant itself into any computer and any organization. Its end goal, however, remains unknown.

The name Duqu comes from the keylogger module that named the log files it generated DQ.TMP. Duqu spread through malicious Word documents that again exploited a zero-day to run arbitrary code with the highest administrator privileges. Authors used a buffer overflow, a strange behavior code that exhibits when faced with unusual data or requests. In general, well-written code would have a tightly defined range of acceptable data and strict responses to unusual inputs. For example, Windows built-in calculator should only deal with numbers and mathematical operators, so trying to load a JPEG file or a piece of Javascript code shouldn't work or would at worst crash the calculator. That is if the software engineers wrote the code right. If the program is left to decide what to do, then anything can happen, depending on how complex the program is.

Duqu used a buffer overflow in Word fonts, in particular, a font named “Dexter Regular”. Details are scarce because of “security through obscurity”, but in general the idea would be that a font can contain extra data that gives it visual flourish; a malicious font like this one would actually have code embedded in it. When WIN32K.SYS file, which in Windows is usually dedicated to processing graphical content and displaying it on a monitor or sending it to a printer, accesses this malicious font, the buffer overflow triggers. Since WIN32K.SYS has access to kernel, the core of a computer, it bypasses all checks and balances in order to maintain performance. That's when the code is executed, which lets the trojan be loaded into RAM with the highest administrator privileges. Meanwhile, the Word document is opened and may show a couple of pages with normal content. It's a pretty clever trick overall.

Duqu won't do anything but will keep track of keyboard and mouse activity until they cease for about ten minutes, after which it will start downloading additional modules. The first reported victims were actually cybersecurity firms that simulated hacking attacks against their own networks and discovered Duqu code. One theory[35] for Duqu's purpose is that it was meant to target security firms, such as those providing antivirus services, to compromise their products and steal digital certificates. However, Duqu could be equipped with a special module that would erase the victim's entire hard drive.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.