backtop


Print 24 comment(s) - last by blankslate.. on Nov 4 at 12:43 PM


No, not THAT Dooku, it's the Duqu worm.  (Source: LucasFilm, Ltd.)
Customers are at high risk after a gaping hole was found in MSO's security

If you just received a Word document from a colleague, don't open it until you verify they really sent it.  A new worm is sweeping the globe and it hides inside innocent-looking Word documents, waiting to strike via a hitherto unknown vulnerability.  

I. Duqu Worm Taps Microsoft Vulnerability, Proliferates

The "Duqu" worm is currently sweeping corporate networks worldwide, seeking to infect as many machines as possible in what appears to be an effort to target power plants, oil refineries and pipelines.  

Microsoft Corp. (MSFT) revealed this week that Duqu uses similar code to the Stuxnet worm, which crippled Iranian nuclear power computer systems in 2010.  Many have voiced suspicions that U.S. defense or intelligence agencies were behind Stuxnet, but it appears extreme unlikely that the U.S. government had anything to do with Duqu.  In fact, Duqu appears to be targeting U.S. allies.

The worm exploits a hitherto-unknown zero-day flaw in Microsoft Office and the Windows operating system.  When the victim receives and opens an infected Word document -- which appears entirely normal -- the worm installs itself on their machines and takes control of the system.

The worm then proceeds to propogate, by opening your contacts lists in programs like Thunderbird and Outlook and then emailing all of your contacts infected documents.

Duqu's attack path
The Duqu worm exploits a previously unknown vulnerability to execute malicious shellcode and gain system access in a sophisticated cyberespionage effort [Source: Symantec]

Microsoft would only comment, "We are working diligently to address this issue and will release a security update for customers."

A Knowledge Base (KB) page on the worm can be found here.  It lists the worm's threat level as "severe".

II. Worm Targets U.S. Allies

Symantec Corp. (SYMC) is among the firms tracking Duqu.  Interestingly, they make some statements about the worm's origin which seemingly exonerate the U.S. from Stuxnet suspicions.  Symantec states that the Duqu authors must have either been given code by the Stuxnet authors, have stolen the code from the Stuxnet authors, or are themselves the Stuxnet authors.  

Symantec's Kevin Haley comments to Reuters, "We believe it is the latter."

The sophistication of this worm suggests that if the U.S. didn't have a hand in crafting it, that China or Russia perhaps did.  A command and control server was found to be hosted in Belgium, but it's rather unlikely that the attackers chose their home nation to host the attacking platform.

China -- a cyber-superpower and notorious aggressor -- is thought to maintain a repository of unpublished vulnerabilities on platforms such as Windows, Linux, and OS X, waiting to exploit them when the need arises.

Nine international organizations have found their systems compromised.  The compromised nations in these victim organizations are:
  • Organization A - France, Netherlands, Switzerland, Ukraine
  • Organization B - India
  • Organization C - Iran
  • Organization D - Iran
  • Organization E - Sudan
  • Organization F - Vietnam
Other researchers report that systems in the United Kingdom, Austria, Hungary, and Indonesia were infected.

Duqu spread
[Source: Symantec]

Sources: Symantec, Reuters



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Huh?
By sigmatau on 11/2/2011 3:50:20 PM , Rating: 1
How do you get infected anymore? I can't get my computer to get infected if I tried. When you get an email with an attachment and attempt to open it, doesn't your browser or anti-virus scan it before you can touch it?

Is this threat so new that there is no detection tools available for it? If it can be detected, it shouldn't be affecting your system unless you disable something.


RE: Huh?
By lightfoot on 11/2/2011 4:14:54 PM , Rating: 2
quote:
Is this threat so new that there is no detection tools available for it?

"Zero-day" means exactly that. It is using an expoit that nobody had ever even heard of before (except the person who created the exploit of course.)

You will also notice that the virus payload is encrypted which would make it more difficult for virus scanners to detect the virus prior to an actual infection. The updated scanner definitions at present seem to detect the virus after infection, not prior to it.


"Google fired a shot heard 'round the world, and now a second American company has answered the call to defend the rights of the Chinese people." -- Rep. Christopher H. Smith (R-N.J.)














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki