This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Duqu 2.0

Is Sophos currently detecting Duqu 2.0?  If so what is it being labeled as?  Possibly Troj/Duqu-K  no information about that.  This threat was discovered about a year ago.  Symantec labeled it W32.Duqu.B

 

If anyone has some information on that it would be helpful

 

Thanks,



This thread was automatically locked due to age.
Parents
  • Hey Tim.

    Due to the way we write detections for our engine, we don't rely on a specific definition for Doqu. You're right in that Troj/Doqu-K is one written for the Doqu genotype however we have many other definitions that will trigger when malware similar to Doqu hit your machine. We spend a lot of time writing generic detections that will capture huge numbers of malware variants, old but also new.

    We have seen plenty of Doqu 2.0 samples and, from the variants we've seen, we offer protection. The driver it uses for persistence is signed by a known stolen code signing certificate so this helps in detection capabilities.

Reply
  • Hey Tim.

    Due to the way we write detections for our engine, we don't rely on a specific definition for Doqu. You're right in that Troj/Doqu-K is one written for the Doqu genotype however we have many other definitions that will trigger when malware similar to Doqu hit your machine. We spend a lot of time writing generic detections that will capture huge numbers of malware variants, old but also new.

    We have seen plenty of Doqu 2.0 samples and, from the variants we've seen, we offer protection. The driver it uses for persistence is signed by a known stolen code signing certificate so this helps in detection capabilities.

Children
No Data