Print 24 comment(s) - last by blankslate.. on Nov 4 at 12:43 PM

No, not THAT Dooku, it's the Duqu worm.  (Source: LucasFilm, Ltd.)
Customers are at high risk after a gaping hole was found in MSO's security

If you just received a Word document from a colleague, don't open it until you verify they really sent it.  A new worm is sweeping the globe and it hides inside innocent-looking Word documents, waiting to strike via a hitherto unknown vulnerability.  

I. Duqu Worm Taps Microsoft Vulnerability, Proliferates

The "Duqu" worm is currently sweeping corporate networks worldwide, seeking to infect as many machines as possible in what appears to be an effort to target power plants, oil refineries and pipelines.  

Microsoft Corp. (MSFT) revealed this week that Duqu uses similar code to the Stuxnet worm, which crippled Iranian nuclear power computer systems in 2010.  Many have voiced suspicions that U.S. defense or intelligence agencies were behind Stuxnet, but it appears extreme unlikely that the U.S. government had anything to do with Duqu.  In fact, Duqu appears to be targeting U.S. allies.

The worm exploits a hitherto-unknown zero-day flaw in Microsoft Office and the Windows operating system.  When the victim receives and opens an infected Word document -- which appears entirely normal -- the worm installs itself on their machines and takes control of the system.

The worm then proceeds to propogate, by opening your contacts lists in programs like Thunderbird and Outlook and then emailing all of your contacts infected documents.

Duqu's attack path
The Duqu worm exploits a previously unknown vulnerability to execute malicious shellcode and gain system access in a sophisticated cyberespionage effort [Source: Symantec]

Microsoft would only comment, "We are working diligently to address this issue and will release a security update for customers."

A Knowledge Base (KB) page on the worm can be found here.  It lists the worm's threat level as "severe".

II. Worm Targets U.S. Allies

Symantec Corp. (SYMC) is among the firms tracking Duqu.  Interestingly, they make some statements about the worm's origin which seemingly exonerate the U.S. from Stuxnet suspicions.  Symantec states that the Duqu authors must have either been given code by the Stuxnet authors, have stolen the code from the Stuxnet authors, or are themselves the Stuxnet authors.  

Symantec's Kevin Haley comments to Reuters, "We believe it is the latter."

The sophistication of this worm suggests that if the U.S. didn't have a hand in crafting it, that China or Russia perhaps did.  A command and control server was found to be hosted in Belgium, but it's rather unlikely that the attackers chose their home nation to host the attacking platform.

China -- a cyber-superpower and notorious aggressor -- is thought to maintain a repository of unpublished vulnerabilities on platforms such as Windows, Linux, and OS X, waiting to exploit them when the need arises.

Nine international organizations have found their systems compromised.  The compromised nations in these victim organizations are:
  • Organization A - France, Netherlands, Switzerland, Ukraine
  • Organization B - India
  • Organization C - Iran
  • Organization D - Iran
  • Organization E - Sudan
  • Organization F - Vietnam
Other researchers report that systems in the United Kingdom, Austria, Hungary, and Indonesia were infected.

Duqu spread
[Source: Symantec]

Sources: Symantec, Reuters

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By Jason H on 11/2/2011 1:11:21 PM , Rating: 2
If this targets the same security vulnerability as an exploit from last year, wouldn't it have been patched by now?

RE: Huh?
By lightfoot on 11/2/2011 3:08:47 PM , Rating: 4
From what I've seen elsewhere (not contiained in this article) is that Duqu is using a zero-day exploit that is unique to Duqu. Although it contains code from Stuxnet, the expoit it is using is not part of that code.

This appears to be a genuine zero-day that Microsoft was not aware of until now.

RE: Huh?
By AnnihilatorX on 11/2/2011 7:57:51 PM , Rating: 4
In that case this article is wrong in asserting that it uses the same exploit as Stuxnet.

RE: Huh?
By Taft12 on 11/3/2011 4:34:30 PM , Rating: 2
I can't see a section of this article that asserts what you're saying... Unless Mick has changed the article.

I gather step 1 from the Symatec flowchart is the only difference between Duqu and Stuxnet though (ie. it uses a different security hole to get things started).

RE: Huh?
By Alexvrb on 11/3/2011 10:18:09 PM , Rating: 2
Nasty "Duqu" Worm Exploits Same Microsoft Office Bug as Stuxnet
This maybe? It seems to imply a shared vulnerability. The article could stand to be a little more clear on the matter.

RE: Huh?
By sigmatau on 11/2/2011 3:50:20 PM , Rating: 1
How do you get infected anymore? I can't get my computer to get infected if I tried. When you get an email with an attachment and attempt to open it, doesn't your browser or anti-virus scan it before you can touch it?

Is this threat so new that there is no detection tools available for it? If it can be detected, it shouldn't be affecting your system unless you disable something.

RE: Huh?
By lightfoot on 11/2/2011 4:14:54 PM , Rating: 2
Is this threat so new that there is no detection tools available for it?

"Zero-day" means exactly that. It is using an expoit that nobody had ever even heard of before (except the person who created the exploit of course.)

You will also notice that the virus payload is encrypted which would make it more difficult for virus scanners to detect the virus prior to an actual infection. The updated scanner definitions at present seem to detect the virus after infection, not prior to it.

What delicious irony
By Tony Swash on 11/3/11, Rating: 0
RE: What delicious irony
By blankslate on 11/3/2011 4:03:42 PM , Rating: 2
There's no irony. Microsoft has already said that they are devoting resources to fix the problem.

If this had been an issue with OS X then based on past behavior problem would not have been publicly acknowledge by Apple and they might've instructed their customer service reps to not pretend that it didn't exist.

If Microsoft ignored the problem and buried it's head in the sand like Apple likes to do when it comes to Malware then there'd be more posts calling MS out on this issue.

You must be one of the few who posts in these threads that finds BS to be tasty... bon appétit though.

RE: What delicious irony
By Tony Swash on 11/3/2011 7:39:10 PM , Rating: 1
You still don't get do you? Why your apparently smart answer carries no weight in the real world, impresses nobody but a small bunch of phobes and microtards.

Imagine. In the real world General Motors has sold cars for years, decades, that have frequently burst into flame at unpredictable moments killing their occupants. Each generation of new cars from General Motors is claimed to reduce this risk, in fact the primary reason people upgrade their GM cars is to reduce the risk of being incinerated. As a result of all this GM cars have a deeply ingrained reputation with consumers for bursting into flames and GM car fans feel that given the strides GM has made to reduce the frequency of bursting into flames that modern GM cars are unfairly tarnished by the failure of older models.

Volkswagen cars have almost never burst into flames. Even going back years their cars just never caught fire. As a result Volkswagen cars have grown in popularity year after year, Volkswagen now sells three times as many cars as they did a couple of years ago.

Some GM car fans wave reports that claim to reveal that potential fire causing features and faults have been identified in some Volkswagen cars. Mostly consumers just ignore them and base their perception of how relatively inflammable GM cars and Volkswagen cars are on past performance, on how often each brand has actually burst into flame.

Some GM car fans feel this is all a bit unfair and try to point out that in theory all cars are in fact inflammable. Mostly consumers just ignore them.

The moral of this story is simple. Windows lost it's reputation in relation to security a long time ago and won't get it back anytime soon, especially with stuff like the "Duqu" worm happening. Macs got a solid reputation for security a long time ago and unless there is an actual and very bad security problem affecting millions of Mac users, and there hasn't been on so far and there doesn't appear to be one looming, the Mac will retain it's strong brand reputation for security.

The security reputations for the Mac and Windows brand are richly deserved in both cases.

RE: What delicious irony
By blankslate on 11/3/2011 10:41:57 PM , Rating: 2
Comparing Cars to computers? Are you serious?

Do you remember the urban legend joke cycle that began when people who worked in IT had taken to saying that if the car industry advanced as fast as the computer industry then people should be able to by a car with 1000 h.p. that got 100 miles per gallon by now.

Eventually this grew into lists speculating what would happen if computer makers entered into the automobile

"You could only have one person in the car at a time, unless you bought Car95 or CarNT. But, then you would have to buy more seats."

"Macintosh would make a car that was powered by the sun, was reliable, five times as fast, twice as easy to drive - but would only run on 5 percent of the roads."

This only illustrates that your analogy about fires in cars and malware on an Operating system is specious at best.

As I said before reputations are based on perceptions and the perception that Windows is still the most insecure OS whilst OS X is bulletproof is based on "security through obscurity" and outright lies. Lies that people like you continue to perpetuate.

This year just like previous years an Apple product mainly through the Safari Browser is the 1st piece of software to be compromised.

Things change yet you still want to live in the past and keep people who don't know any better in the dark.

Apple may
will retain it's strong brand reputation for security.
However it's a reputation that if put to the test folds like a house of cards. OS X is no more difficult to find exploits for than the versions of Windows developed in the same time frame.

unless there is an actual and very bad security problem affecting millions of Mac users
Funny you should say that because even when it does happen Apple will (based on past experience) probably keep it a secret as long as possible and instruct their employees to feign ignorance.

You, however, embrace it wholeheartedly. Have fun in fantasy land.

RE: What delicious irony
By Tony Swash on 11/4/2011 6:46:24 AM , Rating: 1
There you go again waving reports and "evidence" that nobody in the real world is interested in, convincing no one, talking about vague bad things that will one day happen to Mac security and Mac users. Nobody, except for slightly odd people like us, is listening. In the real world the mass of consumers has a clear view of the security strengths and weaknesses of the Mac and Windows brands, based on a mass of real world evidence over a long period of time. It's not hard for consumers to see what the evidence of the real world tells them; Windows has a terrible security track record and hence have a terrible security brand reputation, Mac has a superb security track record and hence have a stellar security brand reputation.

The only way that will change is not through some geek security event, or some report, or the bleating of Windoze fans, it will only change if millions of Mac suffered some sort of security breach in the real world that affected milions of users. That hasn't happened, though the Windoze fans and phobes keep promising it will 'real soon', and you and I both know it will never happen.

Meanwhill the Mac sales keep increasing and the iPad sales keep increasing. Nice.

RE: What delicious irony
By blankslate on 11/4/2011 12:43:18 PM , Rating: 2
Mac has a superb security track record and hence have a stellar security brand reputation.

There you go again only basing your statements on reputation and a track record from the 80s 90s and early aughts.

A reputation that is based on old information and the fact that Apple's share of the computer market made it not worth the effort malware for the platform.

In a sense writers of malware can service 90 plus percent of their "customers" by focusing on Windows... and the extra effort of paying attention to the "niche" market isn't worth the effort.


So people conflate a lack of effort to exploit their platform of choice as proof that it is secure and are blissfully unaware that their "it just works" boxes are just as vulnerable.

Meanwhile as Apple enjoys increasing sales they slowly draw the attention of people who previously ignored them because there was lower hanging fruit...

Delicious irony indeed.

By Donovan on 11/2/2011 1:18:10 PM , Rating: 2
If you just received a Word document from a colleague, don't open it.

"Attention everyone, please stop what you're doing. Someone on the Internet has created a VIRUS!"

RE: Paranoia
By Obujuwami on 11/2/2011 1:33:31 PM , Rating: 5
You also need to add the line:

"Please open the following document for further details" and attach a blank word doc.

That is the kind of email that will make people start to think.

Oh the joy!
By gamefoo21 on 11/2/2011 1:02:27 PM , Rating: 2
This is why, leaving holes in software for big brother is a bad idea. This is why letting big brother have the power to pressure companies to introduce these 'features' while muzzling the companies, is a horrible idea...

Way to go US government, bet you didn't expect to see this one biting your arse.

RE: Oh the joy!
By Labotomizer on 11/3/2011 12:49:38 PM , Rating: 2
You honestly believe this was a known exploit left open for some nefarious purpose? I suppose the moon landing was fake and the US government was behind 9/11 too right?

You don't know anything about software development, do you? Or the fact that Windows and Office contain 30+ million lines of code between the two programs. And since it is man made there will be flaws in the software. Usually these flaws are caught before an exploit is launched but unfortunately in this case it wasn't.

RE: Oh the joy!
By tamalero on 11/4/2011 12:00:00 PM , Rating: 2
Why do you think the US governament makes a MUST to give them the master password on commercial firewalls if they want to sell or offer them in the US?

By Samus on 11/2/2011 12:59:21 PM , Rating: 2
Jason, you use that term a lot, is there something we should know?

RE: Gapping
By sigmatau on 11/2/2011 3:52:40 PM , Rating: 2
"...someone told them I was a #@# rapper, but they don't know that I'm a #@#$@ gapper. "

Stuxnet Decompiled?
By lightfoot on 11/2/2011 1:09:28 PM , Rating: 2
Symantec states that the Duqu authors must have either been given code by the Stuxnet authors, stole the code from the Stuxnet authors, or are themselves the Stuxnet authors.

You don't necessarily need the source code for Stuxnet in order to reproduce its capabilities. Anyone could use a decompiler and start extracting portions of the executable code.

Having the source code helps, but is not required. Pandora's box was opened, it's just a matter of reverse engineering it and copying the functionality. A task that requires far less sophistication, and one that the Chinese have proven time and again that they are very good at.

Duqu whitepaper
By Bytre on 11/2/2011 7:32:12 PM , Rating: 2
The last couple paragraphs...
By neothe0ne on 11/2/11, Rating: -1
RE: The last couple paragraphs...
By lightfoot on 11/2/2011 4:34:47 PM , Rating: 2
You don't speak Mick?
China -- a cyber-superpower and notorious aggressor -- is thought to maintain a repository of unpublished vulnerabilities on platforms such as Windows, Linux, and OS X, waiting to exploit them when the need arises.

China keeps zero-day exploits archived for use as weapons.
Nine international organizations have found their system s have been compromised. The nations that these victim organizations operate in are:

From the Reuters article:
That suggests that the attackers behind Stuxnet either gave that code to the developers of Duqu, allowed it to be stolen, or are the same people who built Duqu, Haley said.

Symantec's Kevin Haley comments to Reuters, "We believe it is the latter."

Haley believes that the people who made Duqu are the same people/group who created Stuxnet.

"People Don't Respect Confidentiality in This Industry" -- Sony Computer Entertainment of America President and CEO Jack Tretton

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki