The 2006 paper calls the Dual EC DRBG as DEC PRG. They're the same thing.
Their attack does work in the advertised time, but it a purely distinguishing attack, i.e., it tells you "this stream of random bits was generated by the DEC PRG". It does this by verifying that the number of 256-bit integers constructed using the 240 bits of the generator as least-significant bits are more often valid points on the P-256 curve than truly random 240-bit strings would. A 2007 paper extended this to predict bits.
EDIT: Actually, for the record, the first public attack on the generator was a predictor, in March 2006 [1]. Citing its conclusion:
"While the practical impact of these results are modest, it is hard to see how these flaws would be acceptable in a pseudo-random bit generator based on symmetric cryptographic primitives. They should not be accepted in a generator based on number-theoretic assumptions."
Their attack does work in the advertised time, but it a purely distinguishing attack, i.e., it tells you "this stream of random bits was generated by the DEC PRG". It does this by verifying that the number of 256-bit integers constructed using the 240 bits of the generator as least-significant bits are more often valid points on the P-256 curve than truly random 240-bit strings would. A 2007 paper extended this to predict bits.
EDIT: Actually, for the record, the first public attack on the generator was a predictor, in March 2006 [1]. Citing its conclusion:
"While the practical impact of these results are modest, it is hard to see how these flaws would be acceptable in a pseudo-random bit generator based on symmetric cryptographic primitives. They should not be accepted in a generator based on number-theoretic assumptions."
[1] http://www.math.ntnu.no/~kristiag/drafts/dual-ec-drbg-commen...