Duqu Targets Windows Kernel Zero-Day Vulnerability

The Duqu Trojan, discovered two weeks ago, exploits at least one zero-day vulnerability in Microsoft Windows, according to security researchers.

The vulnerability was triggered by a booby-trapped Word document, according to a post from researchers at Hungary’s Laboratory of Cryptography and System Security (CrySyS). Microsoft is working to address the issue and will release a security update, Microsoft Trustworthy Computing group’s Jerry Bryant said in a statement. No deadline was provided for the fix.

“As a result of our investigation, we identified a dropper file with an MS 0-day kernel exploit inside,” the CrySyS researchers (pictured) wrote.

Maintain secure practices

There are currently no workarounds users can follow to prevent getting infected by Duqu, other than to continue being vigilant and not open suspicious files attached to emails. Researchers are still investigating whether Duqu exploited any other vulnerabilities or used other attack vectors to spread.

The Stuxnet worm, which many researchers, including Symantec and CrySys, believe was developed by the same team behind Duqu because of similarities in the code, exploited four zero-day vulnerabilities.

The Word document was phrased in a way to “definitively target the intended receiving organisation,” Symantec researchers said, who confirmed the discovery by CrySys.

The installer file is a malicious Microsoft Word document that exploits a previously unknown security flaw in the Windows kernel that allows remote code execution. Once the user opens the file, the malicious code executed and installs the Duqu remote access Trojan on the system and begins monitoring the network, according to Symantec.

Interestingly, the malicious code specified that Duqu would be installed during an eight-day window in August. Researchers had discovered previously that the Trojan was configured to run for 36 days and then delete itself from the system.

In at least one organisation that was infected, Duqu spread across the network through the Server Message Block (SMB)protocol used for file and printer sharing functions between machines, according to researchers. Even if the computer was not connected to the Internet, the malware was able to communicate with remote command and control (C&C) servers by routing its connection through another computer on the network that had Internet access via the SMB protocol.

“This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies,” Symantec researchers wrote.

Finding the triggers

The Duqu Trojan was discovered in October by CrySys and publicised by Symantec. The Trojan garnered a lot of attention because of its similarities to Stuxnet, the worm that infected industrial control systems and damaged centrifuges in Iran’s Natanz nuclear facility. Even though several researchers since then have cast doubt on CrySys and Symantec’s claim that Duqu and Stuxnet were developed by the same team, Symantec continued to assert there was a link between the two pieces of malware.

Researchers had been diligently searching for Duqu’s distribution mechanism to figure out how it infected systems. This discovery is a key step in understanding how it spread and its primary target. At the moment, Duqu appears to have infected approximately six organisation in eight countries, including France, the Netherlands, Switzerland, Ukraine, India, Vietnam, Iran and Sudan.

Symantec also identified another C&C server in Belgium, which has been taken offline. The company had already identified one in India, which was taken offline over the weekend. There are also reports of infections inHungary,Indonesia and theUnited Kingdom, but they have not yet been confirmed.

This must feel like déjà vu for Microsoft as it rushes to patch a new vulnerability that could be maliciously exploited. The Stuxnet worm exploited four zero-days in Windows. The company fixed the issues via an out-of-band update and scheduled Patch Tuesday releases last year.