Friday, 4 November 2011

Duqu installer contains Microsoft Windows zero-day vulnerability

Investigators trying to uncover more information about the Duqu Trojan have discovered the installer, yielding new clues as to how systems are infected by the malware.

Instead of speculating, we encourage all professional organizations to enhance the joint process of finding a solution, since strong international collaboration will remain to play a key role.

Laboratory of Cryptography and System Security (CrySyS)

Researchers at Budapest-based Laboratory of Cryptography and System Security (CrySyS) detected the installer, a malicious Microsoft Word document, and discovered that Duqu contains a dropper file that targets a Microsoft Windows kernel zero-day flaw. When the file is opened, the malicious code executes, quietly installing the malicious Duqu files.

The discovery is significant as it forces Microsoft to begin developing a patch for the flaw. While no additional workarounds exist, enterprises can bolster defenses by educating end users about suspicious attachments. Symantec issued a Duqu Trojan status update, explaining how the cybercriminals behind the malware pull off a successful attack. The company warns other attack vectors may exist.

“The Word document was crafted in such a way as to definitively target the intended receiving organization,” Symantec said. “Furthermore, the shell-code ensured Duqu would only be installed during an eight-day window in August.”

Symantec said organizations that consider Duqu a threat should follow best practices and avoid documents from unknown parties. “Fortunately, most security vendors already detect and block the main Duqu files, thereby preventing the attack,” Symantec said.

Symantec issued details about Duqu Oct. 14, describing how the Trojan contains some of the same source code used by the Stuxnet worm. Duqu contains a different payload. Rather than disrupting industrial processes, it has been targeted at industrial equipment manufacturers and collects information about the manufacturer’s systems and other proprietary data. Symantec, which is working closely with the CrySyS researchers, warned that Duqu could be a precursor for a much more dangerous attack.

Duqu infections appear to be limited, Symantec said.  Once Duqu infects a system, it attempts to contact a command-and-control server where attackers can install additional malware designed to record data and steal other information. While some infections had the ability to remotely contact a C&C server, Symantec said other infections did not contain the communications functionality and instead used a file-sharing protocol to connect to a computer that could contact the remote server for instructions.

The Duqu configuration files on these computers were instead configured not to communicate directly with the C&C server, but to use a file-sharing C&C protocol with another compromised computer that had the ability to connect to the C&C server.

“Duqu creates a bridge between the network's internal servers and the C&C server,” Symantec said. “This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies.”

Microsoft has not yet released an advisory indicating when it would have a patch ready to plug the kernel vulnerability. The software giant’s next scheduled security updates are scheduled for 1 p.m. ET, Nov. 8.

CrySyS, the organization that discovered Duqu and conducted the initial analysis of the malware, said it would continue to investigate the Trojan and release information to the security community. The research team cautioned security vendors to limit speculation.

“Instead of speculating, we encourage all professional organizations to enhance the joint process of finding a solution, since strong international collaboration will remain to play a key role,” the research team said on the CrySyS website.

According to Reuters, last week investigators seized the computer equipment from a data center in India believed to be linked to the Duqu malware.