Beware of Count Duqu, but don't overthink the threat

We're learning more about this Duqu malware Symantec warned us about a few weeks ago, and it seems that it may not be a son of Stuxnet after all. But it's no idle threat, either.

My colleague John E Dunn writes about how, after further research, the Stuxnet connection is weaker than first thought:

The design similarities between the recently-publicised Duqu malware and the infamous Stuxnet worm that caused widespread alarm more than a year ago have been hugely exaggerated, an analysis by Dell SecureWorks has concluded.

The essence of the company's strip-down analysis is that despite some common features, Duqu and Stuxnet have been designed to do different jobs, one very targeted, the other more general.

The two pieces of malware do share rootkit-like design elements, including the way the kernel level driver has been implemented and its loading of encrypted DLL files. Strikingly, both also use a driver-signing certificate from the same Taiwanese company, JMicron, for one of their kernel files.

"The commonality of a software signing certificate is insufficient evidence to conclude the samples are related because compromised signing certificates can be obtained from a number of sources," said the unconvinced researchers. "One would have to prove the sources are common to draw a definitive conclusion."

Meanwhile, my colleague Jaikumar Vijayan writes, Duqu is proving to be formidable even without the Stuxnet link:

The Duqu trojan infects systems by exploiting a previously unknown Windows kernel vulnerability that is remotely executable, security vendor Symantec said today.

Symantec said in a blog post that CrySys , the Hungarian research firm that discovered the Duqu Trojan earlier this month, has identified a dropper file that was used to infect systems with the malware.

The installer file is a malicious Microsoft Word document designed to exploit a zero-day code execution vulnerability in the Windows kernel.

"When the file is opened, malicious code executes and installs the main Duqu binaries" on the compromised system, Symantec said.

According to Symantec, the malicious Word document in the recovered installer appears to have been specifically crafted for the targeted organization. The file was designed to ensure that Duqu would only be installed during a specific eight-day window in August, Symantec noted.

No known workarounds exist for the zero-day vulnerability that Duqu exploits. The installer that was recovered is one of several that may have been used to spread the Trojan.

When Symantec first told us about Duqu, they made it sound like we were dealing with a son of Stuxnet, built from the same polluted gene pool but with different capabilities.

Other researchers quickly poo-pooed the findings, accusing Symantec of playing this up to get attention.

I don't think attention-getting is something worth criticizing here, because every successful vendor I've ever dealt with has sought attention. You can't make a living if no one knows what you're up to in the lab.

And besides, Stuxnet-related or not, Duqu appears to be something worth warning people about.

For its part, Microsoft seems to be taking it seriously, saying it is "diligently" working to fix the vulnerability Duqu targets.

"Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware," Jerry Bryant, Microsoft's Trustworthy Computing group manager, said in an email.

The company will issue a security update to address the vulnerability "through our security bulletin process," Bryant said.

But the fix may not come in time for the next security update Tuesday, so companies will want to keep a sharp eye on this one.

--Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO's Daily Dashboard gives you a

Get your morning news fix with the daily Salted Hash e-newsletter!

Copyright © 2011 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)