Zero-Day Vulnerability in Windows Exploited by Duqu Trojan
The recently discovered trojan, Duqu has had its installer file uncovered by security researchers at CrySyS. According to Symantec, the installer for Duqu is embedded in a compromised Microsoft Office Word document which arrives as an email attachment. It exploits a previously unknown kernel vulnerability in the Windows kernel to execute itself and installs the main Duqu binaries.
Once Duqu is installed, the attackers are able to remotely command it to infect other systems like a worm. Symantec has noted the fact it has modified its modus operandi as in earlier reports of Duqu, it attempts to contact its Command & Control (C&C) server directly ; however, it currently attempts such communication by using a file-sharing C&C protocol with another compromised computer that has the ability to connect to the C&C server.
This means that Duqu attempts to bridge infected computers outside the secure zone to those within. This will allow attackers to compromise the computers which do not have directly access to the WWW. Currently, there are no workarounds for those infected with Duqu. The only way to prevent further infection is to pull the plug on infected systems.
Symantec has contacted Microsoft and the Redmond software giant has acknowledge the vulnerability and is working diligently towards issuing a patch and advisory. At the time of writing, Duqu infections have been confirmed in six possible organizations in eight countries.
- Organization A - France, Netherlands, Switzerland, Ukraine
- Organization B - India
- Organization C - Iran
- Organization D - Iran
- Organization E - Sudan
- Organization F - Vietnam
Symantec also stated that other security vendors have reported Duqu sightings in the following countries:
- United Kingdom
- Iran - infections different from those observed by Symantec
For more information, please read the Duqu whitepaper by Symantec here.
Source: Symantec Corporation