Duqu exploits previously unknown vulnerability in Windows kernel
Microsoft has confirmed a report from Budapest-based Laboratory of Cryptography and System Security (CrySyS), which claimed that the Duqu bot spreads by exploiting a zero day vulnerability in the Windows kernel. How it spreads had previously been unknown. CrySyS discovered the Windows vulnerability whilst analysing the installer. The bot, which anti-virus software firm Symantec believes is related to Stuxnet, infects target systems using a specially crafted Word file which injects the malware into the system using a kernel exploit. Microsoft is already working on a patch.
Symantec says that in at least one case, attackers have already taught Duqu to spread via network shares. This allowed the bot to spread through the company network and even infect systems with no direct internet access. The latter were then supplied with instructions from the command and control server by bots which did have internet access.
Until now, Duqu has reportedly only been used for targeted attacks. The installer examined by Symantec was set to be active during an eight-day window in August, only. Symantec has already identified possible infections at six companies operating in France, The Netherlands, Switzerland, the Ukraine, India, Iran, Sudan and Vietnam. Other security companies claim to have discovered infections in the UK, Austria and Indonesia. To date, Duqu has not been identified at German companies. The German Federal Office for Information Security (BSI) has specifically asked businesses to inform it of any cases of infection.
One area in which Duqu has been deployed is to carry out espionage against manufacturers of industrial control systems. This suggests that the attackers may be using the stolen information to plan new attacks on industrial control systems, such as those used in power plants. Stuxnet was initially deployed to sabotage Iran's nuclear programme. Stuxnet also exploited previously unknown vulnerabilities in Windows.
In the meantime, security specialists from Dell's SecureWorks Counter Threat Unit (CTU) have expressed doubt as to whether Duqu is really related to Stuxnet. They report that although both pieces of malware utilise broadly similar rootkit techniques, such as a kernel driver which first decrypts an encrypted DLL and then injects it into other processes, these techniques are now standard practice and are used by many pieces of malware unrelated to Stuxnet. Duqu's payload, according to Dell, bears no relation to Stuxnet's and does not suggest a relationship between the two.