APT (Targeted attacks)

While analyzing the components of Duqu, we discovered an interesting anomaly in the main component that is responsible for its business logics, the Payload DLL. We would like to share our findings and ask for help identifying the code.

The IT security world in 2011 can be summed up in a single word – explosive!

We have been studying the Duqu Trojan for two months now, exploring how it emerged, where it was distributed and how it operates. Despite the large volume of data obtained (most of which has yet to be published), we still lack the answer to the fundamental question – who is behind Duqu?

We have been studying the Duqu Trojan for two months now, exploring how it emerged, where it was distributed and how it operates.

Over the past few weeks, we have been busy researching the Command and Control infrastructure used by Duqu

Once the driver is loaded, it decrypts a small block that contains its registry key and the name of the registry value to be read from that key. It also contains the name of the driver object to create

Comparing the data we uncovered with that obtained by other researchers and antivirus companies, we’ve elicited various common traits that have revealed the approximate timeline and overall methods used by Duqu’s authors.

First things first, I have to point out a mistake in the previous text. When analyzing the fourth incident in Iran, we stated that there were two network attacks on a victim machine from the IP address 63.87.255.149. It could have been an exclusive version of Duqu, but it turned out to be a big mistake.

Our investigation and research of Duqu malware continues.

First of all, we feel it necessary to clarify some of the confusion surrounding the files and their names related to this incident. To get a full understanding of the situation you only need to know that we’re talking about just two malicious programs here (at a minimum) – the main module and a keylogger.

This work-in-progress investigation tracks the Duqu Trojan and offers some answers to commonly asked questions.

While it was noted that AV vendors reliably detect related ShadyRAT downloader components, discussion of other components were absent.

The US Senate and the International Monetary Fund (IMF) are just the latest in a growing line of high profile companies that have been subjected to a targeted cyberattack

There Is No Blogpost. There are only two pictures here.

The year 2010 has been almost identical to the previous one in terms of malware evolution. Generally speaking, trends have not changed that much and nor have the targets for attack; though certain malicious activities have progressed dramatically.