Windows 7: Windows kernel 'zero-day' found in Duqu attack

The vulnerability has since been reported to Microsoft. However, the company has not yet issued a security advisory to provide pre-patch mitigation guidance to Windows users.

One version of the attack was triggered by a rigged Microsoft Word .doc that probably included some social engineering and required the target to open the booby-trapped file. However, since this is a kernel vulnerability, it is possible that other attack vectors have been/could be used.

Here’s more information on the zero-day component from Symantec:

Once Duqu is able to get a foothold in an organization through the zero-day exploit, the attackers can command it to spread to other computers. In one organization, evidence was found that showed the attackers commanding Duqu to spread across SMB shares. Interestingly though, some of the newly infected computers did not have the ability to connect to the Internet and thereby the command-and-control (C&C) server. The Duqu configuration files on these computers were instead configured not to communicate directly with the C&C server, but to use a file-sharing C&C protocol with another compromised computer that had the ability to connect to the C&C server. Consequently, Duqu creates a bridge between the network’s internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies.

While the number of confirmed Duqu infections is still limited, using the above techniques we have seen Duqu spread across several countries. At the time of writing, Duqu infections have been confirmed in six possible organizations in eight countries.

Still no formal security advisory from Microsoft but we now have a confirmation via the Microsoft Security Response Center’s Twitter account.



“We are working to address a vulnerability believed to be connected to the Duqu malware.”

Here’s a direct quote from Microsoft’s Jerry Bryant:

“Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process.”

In the continuing saga of the malware known as Duqu, CrySyS Lab at the Budapest University of Technology and Economics has announced it was able to acquire a copy of the "dropper" from one of the victims.

What is a dropper and what does this mean? A dropper is a term used by anti-virus researchers to denote a piece of code that is usually installed onto a computer to download further malicious components.

Droppers are typically very small, are designed to evade detection by anti-virus and can sometimes contain exploit code used to inject themselves onto the target computer.

That is why this finding is important. Many analysts still have some doubts as to the relationship between Duqu and Stuxnet, but this piece of the chain of infection was missing. Now with a sample of the missing piece, we can put together a more coherent picture.

The dropper acquired by CrySyS used a Microsoft Word document that targets a zero-day vulnerability in the Windows kernel.

This is an important distinction, as the vulnerability is not in Microsoft Word itself, meaning this flaw could be exploited through other delivery mechanisms.

Microsoft has issued a temporary fix to the pernicious Duqu virus — also known as "Son of Stuxnet" — which could affect users of Windows XP, Vista, Windows 7 as well as Windows Server 2008.

The company promised the security update earlier this week as it races to deal with the virus, which targets victims via email with a Microsoft Word attachment. The virus is not in the email, but in the attachment itself. A Symantec researcher said if a user opens the Word document, the attacker could take control of the PC, and nose around in an organization's network to look for data, and the virus could propagate itself.

Security analysts have found more mysterious but fascinating details in the Duqu Trojan, the so-called "son of Stuxnet" discovered just two months ago.

Moscow's Kaspersky Lab got hold of a different variant of Duqu than the original, and found that the Trojan's creators not only may have been working on Duqu since 2007, but seem to have a sense of humor as well.

According to Kaspersky's Alexander Gostev, the Duqu infection vector is customized for each target, and its code contains a joking reference to "Dexter," the long-running Showtime TV series about a morally ambiguous serial killer.

Kaspersky analyzed a spear-phishing email directed at an undisclosed company, which was attacked by Duqu twice in mid-April of this year but did not realize what hit it until recently.