Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Windows kernel 'zero-day' found in Duqu attack

02 Nov 2011   #1

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 
Windows kernel 'zero-day' found in Duqu attack

Quote:
The vulnerability has since been reported to Microsoft. However, the company has not yet issued a security advisory to provide pre-patch mitigation guidance to Windows users.

One version of the attack was triggered by a rigged Microsoft Word .doc that probably included some social engineering and required the target to open the booby-trapped file. However, since this is a kernel vulnerability, it is possible that other attack vectors have been/could be used.

Here’s more information on the zero-day component from Symantec:

Once Duqu is able to get a foothold in an organization through the zero-day exploit, the attackers can command it to spread to other computers. In one organization, evidence was found that showed the attackers commanding Duqu to spread across SMB shares. Interestingly though, some of the newly infected computers did not have the ability to connect to the Internet and thereby the command-and-control (C&C) server. The Duqu configuration files on these computers were instead configured not to communicate directly with the C&C server, but to use a file-sharing C&C protocol with another compromised computer that had the ability to connect to the C&C server. Consequently, Duqu creates a bridge between the network’s internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies.

While the number of confirmed Duqu infections is still limited, using the above techniques we have seen Duqu spread across several countries. At the time of writing, Duqu infections have been confirmed in six possible organizations in eight countries.
Quote:
Still no formal security advisory from Microsoft but we now have a confirmation via the Microsoft Security Response Center’s Twitter account.

“We are working to address a vulnerability believed to be connected to the Duqu malware.”


Here’s a direct quote from Microsoft’s Jerry Bryant:

“Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process.”
Read More:

Windows kernel 'zero-day' found in Duqu attack | ZDNet



My System SpecsSystem Spec
.

02 Nov 2011   #2

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 

Was just coming to post this

Quote:
In the continuing saga of the malware known as Duqu, CrySyS Lab at the Budapest University of Technology and Economics has announced it was able to acquire a copy of the "dropper" from one of the victims.

What is a dropper and what does this mean? A dropper is a term used by anti-virus researchers to denote a piece of code that is usually installed onto a computer to download further malicious components.

Droppers are typically very small, are designed to evade detection by anti-virus and can sometimes contain exploit code used to inject themselves onto the target computer.

That is why this finding is important. Many analysts still have some doubts as to the relationship between Duqu and Stuxnet, but this piece of the chain of infection was missing. Now with a sample of the missing piece, we can put together a more coherent picture.

The dropper acquired by CrySyS used a Microsoft Word document that targets a zero-day vulnerability in the Windows kernel.

This is an important distinction, as the vulnerability is not in Microsoft Word itself, meaning this flaw could be exploited through other delivery mechanisms.
Source

A Guy
My System SpecsSystem Spec
05 Nov 2011   #3

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 

Microsoft issues Duqu virus workaround for Windows

Quote:
Microsoft has issued a temporary fix to the pernicious Duqu virus — also known as "Son of Stuxnet" — which could affect users of Windows XP, Vista, Windows 7 as well as Windows Server 2008.

The company promised the security update earlier this week as it races to deal with the virus, which targets victims via email with a Microsoft Word attachment. The virus is not in the email, but in the attachment itself. A Symantec researcher said if a user opens the Word document, the attacker could take control of the PC, and nose around in an organization's network to look for data, and the virus could propagate itself.
Source

A Guy
My System SpecsSystem Spec
.


07 Nov 2011   #4
JMH

Win 7 Ultimate 64-bit. SP1.
 
 
Microsoft Fix it for Duqu Malware, Security Advisory 2639658

Quote:
Microsoft released Security Advisory 2639658 which relates to a Windows kernel issue related to the Duqu malware, a trojan that injects malicious code into other processes.

As illustrated in the image below of the Duqu infection schematics, provided by Symantec in Duqu: Status Updates Including Installer with Zero-Day Exploit Found, once infected, the trojan can then install programs; view, change, or delete data; or create new accounts with full user rights.
Microsoft Fix it for Duqu Malware, Security Advisory 2639658 ~ Security Garden
My System SpecsSystem Spec
08 Nov 2011   #5

Windows 7 x64 Ultimate SP1
 
 

Poor Microsoft, they have just patched the kernel for one TrueType font vulnerability, and now they'll have to patch it again!
My System SpecsSystem Spec
13 Nov 2011   #6

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 

Duqu Trojan revealed to be shape-shifting serial killer

Quote:
Security analysts have found more mysterious but fascinating details in the Duqu Trojan, the so-called "son of Stuxnet" discovered just two months ago.

Moscow's Kaspersky Lab got hold of a different variant of Duqu than the original, and found that the Trojan's creators not only may have been working on Duqu since 2007, but seem to have a sense of humor as well.

According to Kaspersky's Alexander Gostev, the Duqu infection vector is customized for each target, and its code contains a joking reference to "Dexter," the long-running Showtime TV series about a morally ambiguous serial killer.

Kaspersky analyzed a spear-phishing email directed at an undisclosed company, which was attacked by Duqu twice in mid-April of this year but did not realize what hit it until recently.
Source

A Guy
My System SpecsSystem Spec
Reply

 Windows kernel 'zero-day' found in Duqu attack




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 05:34 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33