14 DAY TRIAL // The Hungarian security research laboratory team, CrySyS, the ones that first identified the controversial Duqu, discovered an installer for the threat that allowed them to precisely determine how the infection chain begins.
According to Symantec, the setup file was found in the form of a Microsoft Word document that exploits a zero-day weakness in the kernel of the operating system.
Since the flaw is not in Microsoft Word itself, the installer can be easily masqueraded as almost any type of harmless looking element.
The sample found by the researchers revealed that these installers are adapted for each organization they target. For instance, the file discovered by CrySyS was crafted to make sure Duqu would be installed only in an eight-day period in August.
So how does the infection chain work?
Once the legitimate looking document is executed, it triggers the exploit, which then loads the shellcode. The shellcode decrypts the driver that is executed to inject the installer into “services.exe”. As soon as three of the component files are decrypted, the installer passes execution to the main Duqu library.
After it settles on a system, the masterminds that control it can make sure it spreads throughout the network of an organization.
An interesting discovery was the fact that even computers that don't have Internet access could contact the C&C server that controls the malware. This was possible by programing the configuration files to communicate with the C&C by using file-sharing command and control protocols which went from a device to another until an Internet connection was found.
This allowed attackers to access even areas of a network that were considered to be isolated from the rest of the infrastructure.
Symantec researchers recently discovered a sample of Duqu, which instead of connecting to a server in India as before, it came in contact with one hosted in Belgium.
So far, organizations from countries such as France, Netherlands, Switzerland, Ukraine, India, Iran, Sudan, Austria, Hungary and the UK were reported as suffering from an infection with the maleveolent element.