Duqu Malware Attached to Windows for Circulating Zero-day Vulnerability

According to Hungarian security researchers, the infamous Duqu malware is utilizing a zero-day flaw in Windows for distributing its payload as reported in V3.co.uk on November 2, 2011.

CrySyS and Symantec claimed that Duqu started circulating its malware instantly after its discover being announced in earlier Ocotber 2011 as its source code was derived directly from the Stuxnet worm, which is used to incapacitate the nuclear program of Iran.

The most latest recovered file is a Microsoft Word document (.doc). This file is competent enough to exploit a fault in the Windows kernel. According to security vendor Symantec, Microsoft was informed of this vulnerability and it has been working on a patch and an advisory.

CrySyS, which is the university lab stated in a statement that Duqu is a threat much similar to Stuxnet. Actually, this similarity differentiates Duqu from thousands of other viruses and Trojans that are ruling the Internet.

Symantec further claimed that the malicious Word document in the recovered installer seems to have been specially designed for the targeted organization. This was so to make sure that Duqu would be installed only during a particular 8-day window in August 2011.

Security Adviser of Sophos, Chester Wisniewski while commenting on the same matter in his blog on naked security said that taking into consideration the targeted nature of these attacks an that this malware is not a worm or virus, it is quite evident that only the authors of the malware and the security researches analyzing the matter could better exploit the bug.

Symantec also stated that among one of the six organization that are confirmed of being infected by the malware, attackers have remotely ordered Duqu to circulate by using the Server Message Block protocol that are used for file and printer sharing functions.

However, some of the computers that are infected with Duqu were unable to communicate with a central command and control server. As a result the malware was configured in such a way that it could communicate with another compromised computer on the same network that would have otherwise been connected to a server.

Nonetheless, researchers are ongoing with ther search for files that have been used for installing Duqu on infected systems. Hence, there is a possibility that attackers might have exploited the other zero-day vulnerabilities. Stuxnet is found to have targeted at least four zero day bugs.

Related article: Dixie College Suffers Data Hack

» SPAMfighter News - 11/8/2011