Print 18 comment(s) - last by PitViper007.. on Nov 8 at 8:59 AM

Worm is exploiting zero-day exploit in the TrueType Windows component

The Duqu [dyü-kyü] worm, containing parts of the Stuxnet code, is a sophisticated piece of malware that's wreaking havoc on Windows machines worldwide.  The authors appear to be specially targeting business and governmental entities in what may be a cyberespionage or cybersabotage attempt.  

A Fix for Duqu:

Symantec warns:

Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors, or those that have access to the Stuxnet source code, and the recovered samples have been created after the last-discovered version of Stuxnet. Duqu’s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in  the industrial sector, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on various industries, including industrial control system facilities.

The malware piggybacks inside seemingly legitimate documents from Microsoft Corp.'s (MSFT) Word application.  Once infected, the malware takes complete control of the affected system and accesses the address book, sending out infected Word documents to your contacts along with brief, innocuous seeming messages.  Microsoft listed the threat as "severe".

Usually Microsoft has a pretty fast turnaround, when it comes to addressing such serious threats, and it did not disappoint here.  Just days after the zero-day vulnerability was discovered, Microsoft has published new details of what's going on, along with a temporary fix to remove Duqu.

According to Microsoft's TechNet Security TechCenter and a post in the Microsoft Knowledge Base the Duqu virus is exploiting a zero-day vulnerability in the Win32k TrueType font-parsing engine.  The vulnerability allows arbitrary code to be executed in kernel mode (a so called "privileges escalation" exploit).

Duqu code
A peak at the code of Duqu's malware payload [Source: Symantec]

Microsoft has also released a QuickFix tool, available in the above linked Knowledge Base post, which scrounges around and removes the vestiges of known Duqu variants 

Symantec Corp. (SYMC) -- one of the world's largest security firms -- is currently working with Microsoft to combat the threat and identify variants of the growing malware threat.  The company has published a detailed report on Duqu, which is available here [PDF].

Duqu CaC
Symantec has chronicled Duqu's sophisticated remote command & control (CaC) scheme. [Source: Symantec]

Symantec researchers say they first received a copy of Duqu from the Budapest University of Technology and Economics (BME).  BME obtained that piece on Oct. 14.

Related Developments:

Some argue that Microsoft rushes patches for vulnerabilities to market too fast.  They say that rushed patches often fail to completely protect against various variants of a malware threat, hurting the user in the long run.  Still, the majority of security firms seem supportive of Microsoft's approach.

In related news chipmaker Intel Corp. (INTC) is working with recent acquisition McAfee to include hardware-level protection against escalation of privileges attacks.  The technology seems very promising as it could protect against so-called zero-day vulnerabilities like the TrueType parsing exploit used by Duqu.  While it might seem improbable to be able to protect against an attack you've never encountered before, Intel is looking to do this by detecting the kinds of escalation behavior that are ubiquitous among many malware programs.

Sources: TechNet, KnowledgeBase, Symantec

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By anactoraaron on 11/4/2011 5:25:38 PM , Rating: 5
you can't fix stupid. MS tries to make their OS/software as idiot-proof as they can but really if someone decides to open every email and every attachment in their inbox without even checking to see if it is even someone they know... or if 'oh that ad there looks like a good deal!' then infection is bound to happen. No platform is 100% secure - OSX, Windows, maybe even Linux (although it's not likely there's a linux box out there owned by someone who lacks common sense in regards to system security). Sure these systems have security measures in place now that make you confirm some of the nasty malware/etc before they are able to run wild, but if you are the type of person to just 'click whatever to make the box go away' (and we all have a family member who says insane things like that) then you will never be safe. And it's not because the companies that made the OS/software don't care and aren't concerned for your system's security.

As with everything these days you need really 2 things. Common sense and an awareness of your own responsibility in bad things happening from your own actions.

RE: Well...
By anactoraaron on 11/4/2011 5:27:41 PM , Rating: 3
From Technet:

Mitigating Factors:

The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message .

RE: Well...
By kraeper on 11/4/2011 6:44:11 PM , Rating: 5
...without even checking to see if it is even someone they know...

Well the beauty part is that it WILL come from someone you know:
Once infected, the malware takes complete control of the affected system and accesses the address book, sending out infected Word documents to your contacts along with brief, innocuous seeming messages.

Your point stands that you can't fix users, but the old advice of 'only open stuff from people you know' no longer applies.

RE: Well...
By lecanard on 11/5/2011 7:45:42 PM , Rating: 2
It helps to read emails before opening attachments. If it's a generic, "Hey check out this great attachment!", then be careful. When you send people attachments, make the text show that you aren't a hacker or a robot.

RE: Well...
By B3an on 11/6/2011 7:01:37 AM , Rating: 1
That hasn't applied for many years. I was getting these kind of emails from people i knew atleast 10 years ago. I dont know why people, especially on a tech site, still say "check to see if it is someone you know". How can they be so computer illiterate still?

RE: Well...
By Subzero0000 on 11/6/2011 9:28:16 PM , Rating: 3
Well the beauty part is that it WILL come from someone you know

Well, that is where the human intelligent was supposed to beat the spam filter, but some people failed to use it...
they simply don't bother to read contents before opening attachment.

RE: Well...
By NicodemusMM on 11/5/2011 6:58:03 PM , Rating: 4
When someone gets an email from their boss labeled "New SOP. Please read." they're probably going to open it and check the attachment. By the time they realize it's not legit it's too late.
In situations like this it's difficult to condemn the developer (MS) or the user. The only real security is that which most cannot do... simply turn it off and find something else to do.

RE: Well...
By PitViper007 on 11/8/2011 8:59:19 AM , Rating: 2
Hmmm this is very true. The VP of the company I work for sends out memos and letters this way all the time to the staff.

And MS shows once again they care
By Azure Sky on 11/4/2011 5:04:09 PM , Rating: 5
The way I see this is that MS got out a patch very quickly to address this problem, maby not a perm fix, but unlike companies like Apple they(ms) seem to really take these issues seriously and dont just try and pretend they dont exist.

I wish more companies would get out critical patches to known issues in a timely manner.

RE: And MS shows once again they care
By tng on 11/5/2011 8:56:42 AM , Rating: 5
Can' rate you up again so I will just leave this from Apple....

"It just works!"

RE: And MS shows once again they care
By Tony Swash on 11/7/11, Rating: -1
RE: And MS shows once again they care
By tng on 11/7/2011 12:14:27 PM , Rating: 2
Yeah, it was a snarky comment, but his post was centered on the fact that MS was quickly getting the fix out there. Not on how many computers were affected by this.

Also it is interesting to note that MS didn't just work on a problem quietly and not admit publicly that it existed. Apple took the wrong tact there and should have been more forthcoming. It is almost like their image is more important than the customers... hence the comment.

RE: And MS shows once again they care
By its tom hanks on 11/7/2011 1:24:02 PM , Rating: 2
In the real world 99.99% of malware affects Windows only PCs

do you even realize that means a ratio of 1:10,000? naive much?

In the real world millions of Windows PCs are infected with malware

...and i could say the same about macs... (although your 1:10,000 ratio seems contradictory to that)

In the real world millions of Windows PCs are infected with new malware every year


how's it feel to make apple consumers look a little bit dumber each day?

By tastyratz on 11/7/2011 11:07:47 AM , Rating: 2
absolutely. so what if they release a second critical patch refining the first one? Sometimes you have to fix a leak with gum before you can replace the brick. I applaud ms for releasing a quick fix fast to help people, then continue to further refine in the future driving out variants which likely spawn after the fix has even passed through testing. If you wait to make sure you caught every single type out there you give it a chance to further spread and mutate.

A pawn, he is
By ViroMan on 11/6/2011 6:45:00 AM , Rating: 2
Duqu is just a pawn. There is more sinister work at hand.

RE: A pawn, he is
By Camikazi on 11/6/2011 6:06:14 PM , Rating: 2
I see what you did there :)

By mechBgon on 11/5/2011 2:50:25 PM , Rating: 2
I deployed the Fix-It workaround to the systems at work. The only impact noted so far, is that saving stuff as PDF from Office 2010 doesn't work while this stopgap measure is in place.

"We shipped it on Saturday. Then on Sunday, we rested." -- Steve Jobs on the iPad launch

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
Snapchat’s New Sunglasses are a Spectacle – No Pun Intended
September 24, 2016, 9:02 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki