no-image

The Duqu 2.0 persistence module

We have described how Duqu 2.0 does not have a normal “persistence” mechanism. This can lead users to conclude that flushing out the malware is as simple as rebooting all the infected machines. In reality, things are a bit more complicated. Read Full Article

no-image

What was that Wiper thing?

In April 2012, several stories were published about a mysterious malware attack shutting down computer systems at businesses throughout Iran. Several articles mentioned that a virus named Wiper was responsible. Yet, no samples were available from these attacks, causing many… Read Full Article

no-image

Online detection of Gauss

After the publication of our whitepaper about the Gauss cyber-attack, we have been asked if there is an easy way for users to check their system for infection. Of course the most reliable way is to download and install our antivirus solution, but if someone needs to double-check or for some reason cannot download full antivirus package, we offer a quick and easy way to check for the presence of Gauss component. Read Full Article

no-image

Gauss: Nation-state cyber-surveillance meets banking Trojan

Gauss is the most recent cyber-surveillance operation in the Stuxnet, Duqu and Flame saga. It was probably created in mid-2011 and deployed for the first time in August-September 2011. Gauss was discovered during the course of the ongoing effort initiated by the International Telecommunications Union (ITU), following the discovery of Flame, which is part of a sustained effort to mitigate the risk posed by cyber-weapons. Read Full Article

no-image

The Day The Stuxnet Died

Deep inside one of Stuxnet’s configuration blocks, a certain 8 bytes variable holds a number which, if read as a date, points to June 24th, 2012. This is actually the date when Stuxnet’s LNK replication sub-routines (https://securelist.com/myrtus-and-guava-episode-1/29614/) stop working and the worm stops infecting USB memory sticks. Read Full Article

no-image

The mystery of Duqu: Part Ten

At the end of the last year the authors of Duqu and Stuxnet tried to eliminate all traces of their activity. They wiped all servers that they used since 2009 or even earlier. The cleanup happened on October 20. There were virtually no traces of Duqu since then. But several days ago our colleagues in Symantec announced that they found a new in-the-wild driver that is very similar to known Duqu drivers. Previous modifications of Duqu drivers were compiled on Nov 3 2010 and Oct 17 2011, and the new driver was compiled on Feb 23 2012. So, the authors of Duqu are back after a 4 month break. Read Full Article