Microsoft Windows vulnerability exploited by Duqu

• Article
• Gallery

gallery

The Duqu malware, believed by some to be a product of the Stuxnet creators, used a Microsoft Windows flaw to exploit targets' systems.

Duqu was uncovered by Hungarian security company CrySys Labs last month and, as it used much of the same code as Stuxnet, was thought to have been forged by the same hands.

Security researchers were previously at a loss as to how the Duqu malware was able to find its way onto people's computers, but now the missing link has been found.

"The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution," Symantec explained in a blog post.

"When the file is opened, malicious code executes and installs the main Duqu binaries."

Thanks to the shell code, Duqu was only be installed during an eight-day period in August, the security giant reported, noting that attackers could command Duqu to spread to other machines within an organisation.

In some cases Duqu was seen using a peer-to-peer network in order to talk with other infected machines before communicating with the attackers' command and control centre.

"Consequently, Duqu creates a bridge between the network's internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies," Symantec said.

Microsoft is currently working on a patch for the vulnerability, believed by some to be in win32k.sys, but a fix is not expected in November's Patch Tuesday.

The below image from Symantec shows the Duqu attack method:

According to Kaspersky, the new evidence adds further weight to suggestions that the Stuxnet creators really were behind Duqu.

"The detection of the dropper and the route used to penetrate the system (a targeted attack against a specific victim conducted via email) proves our theory that the Duqu attacks are directed against a very small number of victims and in each case, they can employ unique sets of files," Kaspersky said in its own blog post.

"To infect other computers in the network, Duqu seems to be using scheduled jobs, a technique that we’ve also seen in Stuxnet and is a preferred choice of APTs. These, together with other previously known details, reinforce the theory that Stuxnet and Duqu were created by the same people."

The Russian security firm said it had detected three victims in Sudan and four in Iran. Symantec said six "possible organisations" in eight countries, including the UK, have confirmed infections.

Email to a friend

Print this page