Duqu Malware Exploits Windows Zero-Day Kernel Bug, Attacks Via Microsoft Word Document

Microsoft is up to its neck in muddy malware waters over the Stuxnet-like Duqu Trojan that attacks via a malformed Word document, having admitted yesterday that attackers exploited a previously unknown Windows kernel bug. While there is no definitive workaround right now, Microsoft is “working diligently to address this issue.”

Security researchers at CrySyS Labs in Hungary first discovered the Duqu binaries and “identified a dropper file with an MS 0-day kernel exploit inside.” It appears to have been sent to targeted victims through emails with tainted Word attachments. Symantec researcher Kevin Haley told Reuters that “If a recipient opened the Word document and infected the PC, the attacker could take control of the machine and reach into an organization’s network to propagate itself and hunt for data.”

The installer is a Word document (.doc) that, when opened, triggers the exploit, loads a kernel driver, executes the code and installs the Duqu binaries. Symantec created the chart below to better illustrate “how the exploit in the Word document file eventually leads to the installation of Duqu.”

For the technically-challenged, TPM explained:

The phony Word document is emailed as an attachment to victims’ computers that bypasses antivirus software. Once downloaded, it also installs an “infostealer” that logs a user’s keystrokes and steals other system information, also replicating across secure networks using the passwords obtained by the keystroke logger and installing new copies of Duqu in shared folders. It is even able to penetrate secure networks by having secure servers communicate with infected machines and then out onto the public Internet, where the hacker can obtain all of the data. The malware is programmed to remain active for 30 days after which time it automatically removes itself.

Yet Symantec said, “Word file infection is just one of potentially multiple installer methods that may have been used by attackers to infect computers in different organizations.”

An international collaboration of security firms and government agencies are attempting to decipher Duqu. Reuters reported, that early analysis suggests “it was developed by sophisticated hackers to help lay the groundwork for attacks on critical infrastructure such as power plants, oil refineries and pipelines.” It appears to have been maliciously crafted by the same individuals who created Stuxnet which wreaked havoc on Iran’s nuclear program. McAfee wrote, “We have already seen several indications that this threat was related to Stuxnet in some form.” There were “similarities, and even exact matches” to older Stuxnet variants. “Yet another clue, beside the zero-day exploit, that this code is likely based on the same base as Stuxnet,” is that it “reused old driver code in several cases while creating new exploits.”

Symantec’s Haley told CNET, “We continue to believe this is all about reconnaissance, collecting information.” While he declined to say what organizations were targeted and infected, “in some instances the infection was traced to an Internet Service Provider and the original infection from there is unknown.” So far, infections have been traced to France, Netherlands, Switzerland, Ukraine, India, Iran, Sudan, Vietnam, Austria, Hungary, Indonesia and the United Kingdom.

Kaspersky reported, “Our research shows that the incidents we detected involving Duqu in Sudan and Iran are actually bigger than initially thought.” While Microsoft will release a security bulletin related to Duqu, “it looks like a patch won’t be available in November’s updates.”

BBC reported that at least 29 chemical and defense firms were targeted last week by a Trojan called PoisonIvy. There’s been a lot of huffing and puffing about cyberwar, cyber-espionage, and cyber weapons, but with Duqu possibly being a son of Stuxnet, it appears to be another indication we’re there. So far, Duqu has been labeled a worm, a Trojan, a virus, and malware. It’s early on in this Duqu mystery, only about a month, but let the conspiracy theories fly.

Image Credit: Symantec

Like this? Here’s more posts:

• Facebook Wants to Issue Your IRL Offline ID & Internet Driver’s License
• Skype Exploits: I know where you are, what you are sharing, and how to best stalk you
• FBI rolling out nationwide face search and recognition system
• Alabama Sheriff Demands Go Daddy Kill AntiSec Hackers’ Websites for Data Dumps
• Privacy Nightmare: Data Mine & Analyze all College Students’ Online Activities
• Double Security Whammy, No Patches: Killer SSL DDoS Attack, XML Encryption Broken
• Not Without a Warrant: Privacy Upgrade and Digital Liberty from Surveillance
• You might be a terrorist if you take a photo or film at Mall of America
• PROTECT-IP or control freaks? Monster Cable blacklists Sears, Facebook as rogue sites
• By the time you blink once, Facebook has locked out 2 potentially hacked accounts
• 4Chan Founder Moot Cherishes Choices: ‘Facebook and Google Do Identity Wrong’
• Visa, MasterCard may take offline buying history and drag it online for targeted ads

Follow me on Twitter @PrivacyFanatic