Search This Blog

Zero-day Vulnerability in Windows Kernel exploited by Duqu worm


Zero-Day Vulnerability found in Windows Kernel by Researchers at the Cryptography and System Security (CrySyS) Lab, as the result of Analyzing the Duqu malware.  CrySys immediately reported to the Microsoft about the vulnerability.

CrySys discovered the Duqu Binaries and confirmed that it is nearly identical to Stuxnet.Thus far, no-one had been able to find the installer for the threat and therefore no-one had any idea how Duqu was initially infecting systems.

As the result of Research, CrySys found the installer as Microsoft word document file(.doc) that use a previously unknown kernel vulnerability.  When the .doc file is opened, the Duqu infects the system.

W32.Duqu is a worm that opens a back door and downloads more files on to the compromised computer. It also has rootkit functionality and may steal information from the compromised computer.

Duqu Infection:

"The Word document was crafted in such a way as to definitively target the intended receiving organization. Furthermore, the shell-code ensured that Duqu would only be installed during an eight-day window in August. Please note that this installer is the only installer to have been recovered at the time of writing—the attackers may have used other methods of infection in different organizations.", Symantec Report.

Once the system infected by Duqu, the attacker can control the system and infects other organization through the Social Engineering.  In one organization, evidence was found that showed the attackers commanding Duqu to spread across SMB shares.

Even though the system didn't have the ability to connect to the Internet , the Malware  configured such that to communicate with C&C Server using other infected system that has Internet connection.

Consequently, Duqu creates a bridge between the network's internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies.

Several Countries become the victim of this Duqu malware.  According to Symantec report, there are 8 countries infected by this malware.

As the result of Analysis, the researcher discovered that malware contacts a server hosted in India.

"Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process," Jerry Bryant, group manager of response communications in Microsoft's Trustworthy Computing group said in a statement

updated whitepaper (version 1.3) from Symantec .

Share it:

Malware Attack

Malware Report

Microsoft Hacks

OS Vulnerability

Symantec

Vulnerability

Zero Day