Duqu Exploited Zero-Day Vulnerability in Microsoft Windows Kernel

The Duqu Trojan discovered two weeks ago exploits at least one zero-day vulnerability in Microsoft Windows, according to security researchers.

The vulnerability was triggered by a booby-trapped Word document, according to a post from researchers from Hungary's Laboratory of Cryptography and System Security on Nov. 1. Microsoft is working to address the issue and will release a security update, Microsoft Trustworthy Computing's Jerry Bryant said in a statement. No timeline was provided for the fix.

"As a result of our investigation, we identified a dropper file with an MS 0-day kernel exploit inside," the CrySys researchers wrote.

There are currently no workarounds users can follow to prevent getting infected by Duqu, other than to continue being vigilant and not open suspicious files attached to emails. Researchers are still investigating whether Duqu exploited any other vulnerabilities or used other attack vectors to spread. The Stuxnet worm, which many researchers, including Symantec and CrySys, believe was developed by the same team behind Duqu because of commonalities in code, exploited four zero-day vulnerabilities.

The Word document was worded in a way to “definitively target the intended receiving organization,” Symantec researchers said, who confirmed the discovery by CrySys.

The installer file is a malicious Microsoft Word document that exploits a previously unknown security flaw in the Windows kernel that allows remote code execution. Once the user opens the file, the malicious code executes and installs the Duqu remote access Trojan on the system and begins monitoring the network, according to Symantec. Interestingly, the malicious code specified that Duqu would be installed during an eight-day window in August. Researchers had discovered previously that the Trojan was configured to run for 36 days and then delete itself from the system.

In at least one organization that was infected, Duqu spread across the network through the Server Message Block protocol used for file and printer sharing functions between machines, according to researchers. Even if the computer was not connected to the Internet, the malware was able to communicate with remote command and control servers by routing its connection through another computer on the network that had Internet access via the SMB protocol.

"This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies,” Symantec researchers wrote.

The Duqu Trojan was discovered in October by CrySys and publicized by Symantec. The Trojan garnered a lot of attention because of its similarities to Stuxnet, the worm that infected industrial control systems and damaged centrifuges in Iran's Natanz nuclear facility. Even though several researchers since then have cast doubt on CrySys and Symantec's claim that Duqu and Stuxnet were developed by the same team, Symantec continues to assert there is a link between the two pieces of malware.

Researchers have been diligently searching for Duqu's distribution mechanism to figure out how it infected systems. This discovery is a key step in understanding how it spread and its primary target. At the moment, Duqu appears to have infected approximately six organizations in eight countries: France, the Netherlands, Switzerland, Ukraine, India, Vietnam, Iran and Sudan. Symantec also identified another C&C server in Belgium, which has been taken offline. The company had already identified one in India, which was taken offline over the weekend. In addition, there are reports of infections in Hungary, Indonesia and the United Kingdom, but they have not yet been confirmed.

This must feel like déjà vu for Microsoft as it rushes to patch a new vulnerability that could be maliciously exploited. The Stuxnet worm exploited four zero-days in Windows. The company fixed the issues via an out-of-band update and scheduled Patch Tuesday releases last year.