News
News Categories

Zero-Day Vulnerability in Windows Exploited by Duqu Trojan

By Wong Chung Wee - on 3 Nov 2011, 5:16pm

Zero-Day Vulnerability in Windows Exploited by Duqu Trojan

The recently discovered trojan, Duqu has had its installer file uncovered by security researchers at CrySyS. According to Symantec, the installer for Duqu is embedded in a compromised Microsoft Office Word document which arrives as an email attachment. It exploits a previously unknown kernel vulnerability in the Windows kernel to execute itself and installs the main Duqu binaries.

Duqu infection schematics. (Source: Symantec Corporation)

Once Duqu is installed, the attackers are able to remotely command it to infect other systems like a worm. Symantec has noted the fact it has modified its modus operandi as in earlier reports of Duqu, it attempts to contact its Command & Control (C&C) server directly ; however, it currently attempts such communication by using a file-sharing C&C protocol with another compromised computer that has the ability to connect to the C&C server.

This means that Duqu attempts to bridge infected computers outside the secure zone to those within. This will allow attackers to compromise the computers which do not have directly access to the WWW. Currently, there are no workarounds for those infected with Duqu. The only way to prevent further infection is to pull the plug on infected systems.

Symantec has contacted Microsoft and the Redmond software giant has acknowledge the vulnerability and is working diligently towards issuing a patch and advisory.  At the time of writing, Duqu infections have been confirmed in six possible organizations in eight countries.

  • Organization A - France, Netherlands, Switzerland, Ukraine
  • Organization B - India
  • Organization C - Iran
  • Organization D - Iran
  • Organization E - Sudan
  • Organization F - Vietnam

Symantec also stated that other security vendors have reported Duqu sightings in the following countries:

  • Austria
  • Hungary
  • Indonesia
  • United Kingdom
  • Iran - infections different from those observed by Symantec

For more information, please read the Duqu whitepaper by Symantec here.

Source: Symantec Corporation

Join HWZ's Telegram channel here and catch all the latest tech news!
Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.