The Hungarian research lab credited with discovering the Duqu cyber-surveillance trojan has released a detector toolkit to help find Duqu infections on a computer or in a whole network.
The open-source toolkit, from the Laboratory of Cryptography and System Security (CrySyS), contains signature- and heuristics-based methods that can find traces of Duqu infections where components of the malware are already removed from the system.
From the CrySyS documentation:
The intention behind the tools is to find different types of anomalies (e.g., suspicious files) and known indicators of the presence of Duqu on the analyzed computer. As other anomaly detection tools, it is possible that it generates false positives. Therefore, professional personnel is needed to elaborate the resulting log files of the tool and decide about further steps.
This toolkit contains very simple, easy-to-analyze program source code, thus it may also be used in special environments, e.g. in critical infrastructures, after inspection of the source code (to check that there is no backdoor or malicious code inside) and recompiling.the toolkit may also detect new, modified versions of the Duqu threat.
Duqu deactivates after a time limit and removes itself from the computer, but some temporary files could still indicate that the computer was affected by a former Duqu infection, our toolkit might identify these cases, too.
Duqu, which is being used to spy on select targets around the world, contains “striking similarities” to Stuxnet, the mysterious computer worm that targeted nuclear facilities in Iran.