Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Security > Virus alerts

November 2nd, 2011, 08:45 GMT · By Eduard Kovacs

Duqu Installer Found to Rely on Windows Kernel Vulnerability

SHARE:

Adjust text size:


The geographical distribution of Duqu
Enlarge picture
The Hungarian security research laboratory team, CrySyS, the ones that first identified the controversial Duqu, discovered an installer for the threat that allowed them to precisely determine how the infection chain begins.

According to Symantec, the setup file was found in the form of a Microsoft Word document that exploits a zero-day weakness in the kernel of the operating system.

Since the flaw is not in Microsoft Word itself, the installer can be easily masqueraded as almost any type of harmless looking element.

The sample found by the researchers revealed that these installers are adapted for each organization they target. For instance, the file discovered by CrySyS was crafted to make sure Duqu would be installed only in an eight-day period in August.

So how does the infection chain work?

Once the legitimate looking document is executed, it triggers the exploit, which then loads the shellcode. The shellcode decrypts the driver that is executed to inject the installer into “services.exe”. As soon as three of the component files are decrypted, the installer passes execution to the main Duqu library.

After it settles on a system, the masterminds that control it can make sure it spreads throughout the network of an organization.

An interesting discovery was the fact that even computers that don't have Internet access could contact the C&C server that controls the malware. This was possible by programing the configuration files to communicate with the C&C by using file-sharing command and control protocols which went from a device to another until an Internet connection was found.

This allowed attackers to access even areas of a network that were considered to be isolated from the rest of the infrastructure.

Symantec researchers recently discovered a sample of Duqu, which instead of connecting to a server in India as before, it came in contact with one hosted in Belgium.

So far, organizations from countries such as France, Netherlands, Switzerland, Ukraine, India, Iran, Sudan, Austria, Hungary and the UK were reported as suffering from an infection with the maleveolent element.

TELL US WHAT YOU THINK:

1,426 hits · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


Companies Not Aware of Critical Infrastructure Protection Programs
Stuxnet Variant Returns as Sophisticated Keylogger
French Nuclear Company Attacked by Hackers

READER COMMENTS:



No user comments yet.
Be the first to express your opinion!
Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use