Windows kernel 'zero-day' found in Duqu attack

Windows kernel 'zero-day' found in Duqu attack

Summary: One version of the attack was triggered by a rigged Microsoft Word .doc that probably included some social engineering and required the target to open the booby-trapped file.

SHARE:
96

The mysterious Duqu malware attack exploited a zero-day vulnerability in the Windows kernel, according to security researchers tracking the Stuxnet-like cyber-surveillance Trojan.

Researchers at the Laboratory of Cryptography and System Security (CrySyS) in Hungary confirmed the existence of the zero-day vulnerability and exploit in a brief note posted to its web site.

follow Ryan Naraine on twitter

Our lab, the Laboratory of Cryptography and System Security (CrySyS) pursued the analysis of the Duqu malware and as a result of our investigation, we identified a dropper file with an MS 0-day kernel exploit inside. We immediately provided competent organizations with the necessary information such that they can take appropriate steps for the protection of the users.

The vulnerability has since been reported to Microsoft.   However, the company has not yet issued a security advisory to provide pre-patch mitigation guidance to Windows users.

One version of the attack was triggered by a rigged Microsoft Word .doc that probably included some social engineering and required the target to open the booby-trapped file.  However, since this is a kernel vulnerability, it is possible that other attack vectors have been/could be used.

Here's more information on the zero-day component from Symantec:

Once Duqu is able to get a foothold in an organization through the zero-day exploit, the attackers can command it to spread to other computers. In one organization, evidence was found that showed the attackers commanding Duqu to spread across SMB shares. Interestingly though, some of the newly infected computers did not have the ability to connect to the Internet and thereby the command-and-control (C&C) server. The Duqu configuration files on these computers were instead configured not to communicate directly with the C&C server, but to use a file-sharing C&C protocol with another compromised computer that had the ability to connect to the C&C server. Consequently, Duqu creates a bridge between the network's internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies.

While the number of confirmed Duqu infections is still limited, using the above techniques we have seen Duqu spread across several countries. At the time of writing, Duqu infections have been confirmed in six possible organizations in eight countries.

Symantec also reported the recovery of a new Duqu sample that communicates with a different C&C server. All previously analyzed samples were configured to contact a server hosted in India. This particular Duqu file was configured to communicate with a server in Belgium with the IP address '77.241.93.160'.

UPDATE: Still no formal security advisory from Microsoft but we now have a confirmation via the Microsoft Security Response Center's Twitter account.

"We are working to address a vulnerability believed to be connected to the Duqu malware."

Here's a direct quote from Microsoft's Jerry Bryant:

"Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process."

ALSO SEE:

Topics: Windows, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

96 comments
Log in or register to join the discussion
  • The user has to download it and run it

    so per apple logic this is not a problem.
    honeymonster
    • RE: Windows kernel 'zero-day' vulnerability found in Duqu attack

      @honeymonster
      The user receives a Word document in email When the doc is opened, it infects the targeted computer and will not be detected by anti-virus software.

      I would say a bit more serious than the Mac defender virus. Apple patched that up very quickly and it seems that Apple is doing a good job protecting against
      mall ware...
      prof123
      • Apple did not patch Mac Defender

        @prof123
        Apple simply added the malware signature to the AV software that is deeply embedded in OS X. You can't run OS X without AV. It isn't safe. That is why Apple embedded AV right into OS X.
        toddybottom
      • RE: Windows kernel 'zero-day' vulnerability found in Duqu attack

        @prof123 why would it not be detected by an AV software?
        pupkin_z
      • RE: Windows kernel 'zero-day' vulnerability found in Duqu attack

        @prof123

        Apple never patched it. There was a "fix" but it was a very weak one and nearly instantly bypassed. Blacklist race.

        What DID happen is that the Russian government, in an inexplicable fit of lawfulness, arrested the group responsible and it all stopped overnight. That is very uncharacteristic of Russia and a pretty good indication that Apple figured out who they were and greased some palms to get the right officials to suddenly care about doing their jobs.

        Security through obscurity? Nah. Security through a good offense.
        SlithyTove
      • RE: Windows kernel 'zero-day' vulnerability found in Duqu attack

        @prof123 You actually mean 'They denied it existed like every security threat for a while before rolling out a patch while thinking nobody would notice'
        DreyerSmit
      • RE: Windows kernel 'zero-day' vulnerability found in Duqu attack

        @prof123 hee hee... mall ware - be careful of those malls...just kidding - I know you meant malware. I am glad those vicious fake anti virus programs stopped popping up. So this one is only if you open a word doc that is unidentified, or can it attach to any word doc?
        monikawoods
    • RE: Windows kernel 'zero-day' vulnerability found in Duqu attack

      @honeymonster

      +1
      bigjon-x64
    • I noticed you were so eager to point this out that

      you made your comment before any Apple fan actually made the statement you accuse them of.
      baggins_z
      • RE: Windows kernel 'zero-day' vulnerability found in Duqu attack

        @baggins_z

        It's called a "pre-emptive retort"... :)
        PollyProteus
    • Don't forget the other apple fanboi logic

      @honeymonster
      If this discovery comes from an AV vendor then it means it is a lie and is not a problem.
      toddybottom
      • But this is a Windows issue...

        ...and not an Apple issue, so an EPIC FAIL on deflection.
        ScorpioBlue
  • Spear phishing with a Microsoft Word doc file

    Three questions:<br><br>1. Would this exploit work if the doc file was opened with an alternative word processor such as LibreOffice, Corel WordPerfect Office, etc.?<br><br>2. If a user runs their PC in a limited/standard user account and Software Restriction Policy whitelisting (via gpedit.msc) is enabled, including dll protection, would this exploit still work?<br><br>3. If Microsoft's EMET is installed and configured, would this exploit still work?<br><br>Some additional details from Symantec (link provided in the article):<br><br><a href="http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit" target="_blank" rel="nofollow">http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit</a><br><br>Edit: Added 3rd question.
    Rabid Howler Monkey
    • RE: Windows kernel 'zero-day' vulnerability found in Duqu attack

      @Rabid Howler Monkey please don't confuse the issue with logical questions.......
      The only issue here is just like always -
      1 - Mac OS is better than Windows.
      2 - No it isn't.
      3 - Go to 1.
      dev/null
      • RE: Windows kernel 'zero-day' vulnerability found in Duqu attack

        @dev/null that is in the eye of the beholder. to others Windows is better and always will be. to still others Nix (any flavour) beats both. Who is right and who says so.
        Franciscus101
      • RE: Windows kernel 'zero-day' vulnerability found in Duqu attack

        @Franciscus101...I see we're unfamiliar with tech humor.
        I12BPhil
      • RE: Windows kernel 'zero-day' vulnerability found in Duqu attack

        @dev/null You didn't even know what the questions meant, pretty evident with that answer to number 2. And what is the third question?
        DreyerSmit
    • very good questions!

      @Rabid Howler Monkey

      Very good questions!

      Inquiring minds want to know.

      I'd wager its in a Word document "feature" that is not available in the "compatible" alternatives.
      wkulecz
      • RE: very good questions!

        @wkulecz And not a bad wager. :)

        PCWorld interviewed staff at CrySyS, the Hungarian co. credited with 'discovering' duqu, and they described a Microsoft Word 0-day along with the previously-mentioned Windows kernel 0-day. More here:

        http://www.pcworld.com/businesscenter/article/243019/duqu_worm_targets_microsoft_zero_day_flaw.html

        Which begs another question for users of Microsoft Word: does Microsoft's Office 2010 'protected view' provide any protection against this exploit?
        Rabid Howler Monkey
  • RE: Windows kernel 'zero-day' vulnerability found in Duqu attack

    I have been an avid Apple User since 1979, my first Mac in 1984 and multiple OS computer support for 30 years. The most likely candidate for trouble is the user that thinks he is safe. Over confidence leads to laziness. Always be diligent!
    lsweeney1