A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution. Microsoft is working on a fix for the kernel vulnerability right now. The exact location and nature of the flaw isn’t clear right now.
The installer, discovered by researchers at the Hungarian lab that first found Duqu, is a Word document that, once opened, exploits the kernel flaw and then installs the Duqu code on the machine. In an analysis of the installer and attack, Symantec researchers found that the installer discovered by the CrySyS Lab at the Budapest University of Technology and Economics was specifically written to be useful against one organization’s environment and was only designed to be installed during a period of eight days in August.
“Once Duqu is able to get a foothold in an organization through the zero-day exploit, the attackers can command it to spread to other computers. In one organization, evidence was found that showed the attackers commanding Duqu to spread across SMB shares. Interestingly though, some of the newly infected computers did not have the ability to connect to the Internet and thereby the command-and-control (C&C) server. The Duqu configuration files on these computers were instead configured not to communicate directly with the C&C server, but to use a file-sharing C&C protocol with another compromised computer that had the ability to connect to the C&C server. Consequently, Duqu creates a bridge between the network’s internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies,” Vikram Thakur of Symantec wrote in the analysis of the installer’s behavior.
Microsoft officials said they are working on a patch for the kernel bug now.
“Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process,” Jerry Bryant, group manager of response communications in Microsoft’s Trustworthy Computing group said in a statement.
There has been a lot of discussion in the security community about the origins and intent of Duqu, with some researchers speculating that it may be somewhat similar to Stuxnet and may have, in fact, been written by the same people. Others have said that the newer malware is unlike Stuxnet in many ways and Duqu is more likely a customizable attack framework designed ot be used as needed in different environments. The discovery of a previously unknown Windows kernel bug in use by Duqu will strengthen the comparisons, as Stuxnet included several Windows zero days. Symantec also said it has found a newer sample of Duqu that is talking to a new command-and-control server that was in Belgium, rather than the original one that was taken offline in India over the weekend. The server in Belgium also has been shut down.
The researchers at CrySyS Lab said that they have shared information on the Windows kernel flaw with other organizations.
“Our lab, the Laboratory of Cryptography and System Security (CrySyS) pursued the analysis of the Duqu malware and as a result of our investigation, we identified a dropper file with an MS 0-day kernel exploit inside. We immediately provided competent organizations with the necessary information such that they can take appropriate steps for the protection of the users,” the lab said in a statement.