Duqu Malware Exploits Windows Zero-Day Kernel Bug, Attacks Via Microsoft Word Document

Researchers have concluded that the Duqu Trojan, the possible son the Stuxnet, is using a zero-day Windows kernel vulnerability to spread infection. Microsoft confirmed the kernel bug and is working on a fix. When an infected Word document is opened, Duqu can gain access to spread throughout the network. Symantec reported that includes spreading via a 'file-sharing C&C protocol' to infect computers that can't connect to the Internet.

Microsoft is up to its neck in muddy malware waters over the Stuxnet-like Duqu Trojan that attacks via a malformed Word document, having admitted yesterday that attackers exploited a previously unknown Windows kernel bug. While there is no definitive workaround right now, Microsoft is "working diligently to address this issue."

Security researchers at CrySyS Labs in Hungary first discovered the Duqu binaries and "identified a dropper file with an MS 0-day kernel exploit inside." It appears to have been sent to targeted victims through emails with tainted Word attachments. Symantec researcher Kevin Haley told Reuters that "If a recipient opened the Word document and infected the PC, the attacker could take control of the machine and reach into an organization's network to propagate itself and hunt for data."

The installer is a Word document (.doc) that, when opened, triggers the exploit, loads a kernel driver, executes the code and installs the Duqu binaries. Symantec created the chart below to better illustrate "how the exploit in the Word document file eventually leads to the installation of Duqu."

For the technically-challenged, TPM explained:

The phony Word document is emailed as an attachment to victims' computers that bypasses antivirus software. Once downloaded, it also installs an "infostealer" that logs a user's keystrokes and steals other system information, also replicating across secure networks using the passwords obtained by the keystroke logger and installing new copies of Duqu in shared folders. It is even able to penetrate secure networks by having secure servers communicate with infected machines and then out onto the public Internet, where the hacker can obtain all of the data. The malware is programmed to remain active for 30 days after which time it automatically removes itself.

Yet Symantec said, "Word file infection is just one of potentially multiple installer methods that may have been used by attackers to infect computers in different organizations."

An international collaboration of security firms and government agencies are attempting to decipher Duqu. Reuters reported, that early analysis suggests "it was developed by sophisticated hackers to help lay the groundwork for attacks on critical infrastructure such as power plants, oil refineries and pipelines." It appears to have been maliciously crafted by the same individuals who created Stuxnet which wreaked havoc on Iran's nuclear program. McAfee wrote, "We have already seen several indications that this threat was related to Stuxnet in some form." There were "similarities, and even exact matches" to older Stuxnet variants. "Yet another clue, beside the zero-day exploit, that this code is likely based on the same base as Stuxnet," is that it "reused old driver code in several cases while creating new exploits."

Symantec's Haley told CNET, "We continue to believe this is all about reconnaissance, collecting information." While he declined to say what organizations were targeted and infected, "in some instances the infection was traced to an Internet Service Provider and the original infection from there is unknown." So far, infections have been traced to France, Netherlands, Switzerland, Ukraine, India, Iran, Sudan, Vietnam, Austria, Hungary, Indonesia and the United Kingdom.

Kaspersky reported, "Our research shows that the incidents we detected involving Duqu in Sudan and Iran are actually bigger than initially thought." While Microsoft will release a security bulletin related to Duqu, "it looks like a patch won't be available in November's updates."

BBC reported that at least 29 chemical and defense firms were targeted last week by a Trojan called PoisonIvy. There's been a lot of huffing and puffing about cyberwar, cyber-espionage, and cyber weapons, but with Duqu possibly being a son of Stuxnet, it appears to be another indication we're there. So far, Duqu has been labeled a worm, a Trojan, a virus, and malware. It's early on in this Duqu mystery, only about a month, but let the conspiracy theories fly.

Image Credit: Symantec

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2011 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!