Duqu Spreads Using Zero-Day Word Exploit, Researchers Warn

Alarm grows as Microsoft works on patch

The unsettling mystery of the would-be Stuxnet malware 'Duqu' has deepened with the discovery that it is spread using a zero-day exploit in a Microsoft Word document.

The University of Budapest security lab that first discovered Duqu has finally tracked down the installer it uses which turns out to function as part of a targeted attack against unknown organisations, Symantec has reported.

According to the lab's analysis, Duqu would have activated in an eight-day August window during which it appears to have been directed to spread across SMB shares, an obsolete Microsoft networking protocol used before the days of Active Directory.

Symantec said it had confirmed infections in only a handful of countries, including Iran, India, Vietnam, Sudan, France, Switzerland, Ukraine and The Netherlands.

Finding the installer is critical because it helps piece together the malware's full design, principally the method is has been using to infect targets.

Not all companies agree that Duqu has any direct connection to the Stuxnet malware that has so perplexed security watchers since its appearance in 2010. Earlier this week, Dell SecureWorks published its own analysis that rated the commonalities between the two as more likely to be coincidence.

That was before the installer file was discovered, however, which at the very least raises the possibility that Duqu is more than just another clever piece of malware on the hunt for profitable victims.

"Exploitation of a kernel-level vulnerability allows the exploit code to run with ultimate privileges, enabling Duqu to have greater capabilities and better evade detection," said Zscaler ThreatLabZ senior security researcher, Mike Geide, spelling out Duqu's menace.

"For example, key logging code could be embedded into a keyboard device driver and operating system functions could be patched to hide or ignore any of Duqu's processes or files."

Microsoft is believed to be working on a fix for the Word zero day flaw, which could be only one of the possible methods the malware uses to attack its victims. It is not clear how soon this patch will turn up but it is likely to receive an enthusiastic welcome despite many security products already being able to spot the current W32.Duqu.

Symantec has produced a detailed white paper for admins interested in learning more about the malware, including how to spot it on a network.

Copyright © 2011 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline