Researchers have finally uncovered an installation file used by the Duqu Trojan to infect computers. It appears to exploit at least one Windows kernel zero-day vulnerability.
Duqu Trojan discovered two weeks ago exploits at least one zero-day
vulnerability in Microsoft Windows, according to security researchers.
vulnerability was triggered by a booby-trapped Word document, according to a
post from researchers from Hungary's Laboratory of Cryptography and System
Security on Nov. 1. Microsoft is working to address the issue and will release
a security update, Microsoft Trustworthy Computing's Jerry Bryant said in a
statement. No timeline was provided for the fix.
a result of our investigation, we identified a dropper file with an MS 0-day
kernel exploit inside," the CrySys researchers wrote.
are currently no workarounds users can follow to prevent getting infected by
Duqu, other than to continue being vigilant and not open suspicious files
attached to emails. Researchers are still investigating whether Duqu exploited
any other vulnerabilities or used other attack vectors to spread. The Stuxnet
worm, which many researchers, including Symantec and CrySys, believe was
developed by the same team behind Duqu because of commonalities in code,
exploited four zero-day vulnerabilities.
Word document was worded in a way to "definitively target the intended
receiving organization," Symantec
researchers said, who confirmed the discovery by CrySys.
installer file is a malicious Microsoft Word document that exploits a
previously unknown security flaw in the Windows kernel that allows remote code
execution. Once the user opens the file, the malicious code executes and
installs the Duqu remote access Trojan on the system and begins monitoring the
network, according to Symantec. Interestingly, the malicious code specified that
Duqu would be installed during an eight-day window in August. Researchers had
discovered previously that the Trojan was configured to run for 36 days and
then delete itself from the system.
at least one organization that was infected, Duqu spread across the network
through the Server Message Block protocol used for file and printer sharing
functions between machines, according to researchers. Even if the computer was
not connected to the Internet, the malware was able to communicate with remote
command and control servers by routing its connection through another computer
on the network that had Internet access via the SMB protocol.
allowed the attackers to access Duqu infections in secure zones with the help
of computers outside the secure zone being used as proxies," Symantec
Duqu Trojan was discovered in October by CrySys and publicized
. The Trojan garnered a lot of attention because of its
similarities to Stuxnet, the worm that infected industrial control systems and
damaged centrifuges in Iran's Natanz nuclear facility. Even though several
researchers since then have cast
on CrySys and Symantec's claim that Duqu and Stuxnet were developed
by the same team, Symantec continues to assert there is a link between the two
pieces of malware.
have been diligently searching for Duqu's distribution mechanism to figure out
how it infected systems. This discovery is a key step in understanding how it
spread and its primary target. At the moment, Duqu appears to have infected approximately
six organizations in eight countries: France, the Netherlands, Switzerland,
Ukraine, India, Vietnam, Iran and Sudan. Symantec also identified another
C&C server in Belgium, which has been taken offline. The company had
already identified one in India, which was taken offline
over the weekend
. In addition, there are reports of infections in Hungary,
Indonesia and the United Kingdom, but they have not yet been confirmed.
must feel like d??Â«j??Ã
vu for Microsoft
as it rushes to patch a new vulnerability that could be
maliciously exploited. The Stuxnet worm exploited four zero-days in Windows.
The company fixed the issues via an out-of-band update and scheduled Patch
Tuesday releases last year.