The Hungarian research facility that helped discover Duqu, has now released an open-source toolkit that can be used to help detect traces and instances of the worm.
The Laboratory of Cryptography and System Security (CrySys) at the Budapest University of Technology and Economics developed the Duqu Detector Toolkit v1.01 to be used on computers and networks where the malware may have already been removed from the system. Duqu - a cousin of the Stuxnet worm that infected uranium enrichment facilities in Iran, famously had a hard-coded 36 day lifespan. But ystems may still retain certain Duqu files even after the virus has deactivated itself.By focusing on what they refer to as “suspicious files,” the toolkit can “detect new, modified versions of the Duqu threat,” CrySys said.
Like other toolkits, CrySys claims the tool could still generate false positives and therefore encourages a professional looks over the log files of each test.
As Threatpost previously reported, users can be infected with Duqu after opening a particular Word document that exploits a flaw in Windows' Win32k TrueType font parsing engine and lead to remote code execution. Microsoft has maintained they’re working on a patch for the bug but in the meantime, released a workaround for the kernel flaw late last week.