Microsoft Airs Temporary Fix to Defeat Duqu Worm
November 4, 2011 4:00 PM
comment(s) - last by
Worm is exploiting zero-day exploit in the TrueType Windows component
The Duqu [dyü-kyü] worm
, containing parts of
the Stuxnet code
, is a sophisticated piece of malware that's wreaking havoc on Windows machines worldwide. The authors appear to be specially targeting business and governmental entities in what may be a cyberespionage or cybersabotage attempt.
A Fix for Duqu:
Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors, or those that have access to the Stuxnet source code, and the recovered samples have been created after the last-discovered version of Stuxnet. Duqu’s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on various industries, including industrial control system facilities.
The malware piggybacks inside seemingly legitimate documents from Microsoft Corp.'s (
) Word application. Once infected, the malware takes complete control of the affected system and accesses the address book, sending out infected Word documents to your contacts along with brief, innocuous seeming messages. Microsoft listed the threat as "severe".
Usually Microsoft has a pretty fast turnaround, when it comes to addressing such serious threats, and it did not disappoint here. Just days after the zero-day vulnerability was discovered, Microsoft has published new details of what's going on, along with a temporary fix to remove Duqu.
Microsoft's TechNet Security TechCenter and
in the Microsoft Knowledge Base the Duqu virus is exploiting a zero-day vulnerability in the Win32k TrueType font-parsing engine. The vulnerability allows arbitrary code to be executed in kernel mode (a so called "privileges escalation" exploit).
A peak at the code of Duqu's malware payload [Source: Symantec]
Microsoft has also released a QuickFix tool, available in the above linked Knowledge Base post, which scrounges around and removes the vestiges of known Duqu variants
Symantec Corp. (
) -- one of the world's largest security firms -- is currently working with Microsoft to combat the threat and identify variants of the growing malware threat. The company has published a detailed report on Duqu, which is available
Symantec has chronicled Duqu's sophisticated remote command & control (CaC) scheme. [Source: Symantec]
Symantec researchers say they first received a copy of Duqu from the
Budapest University of Technology and Economics
(BME). BME obtained that piece on Oct. 14.
Some argue that Microsoft
rushes patches for vulnerabilities to market too fast
. They say that rushed patches often fail to completely protect against various variants of a malware threat, hurting the user in the long run. Still, the majority of security firms seem supportive of Microsoft's approach.
In related news chipmaker Intel Corp. (
) is working with recent acquisition McAfee to include
hardware-level protection against escalation of privileges attacks
. The technology seems very promising as it could protect against so-called zero-day vulnerabilities like the TrueType parsing exploit used by Duqu. While it might seem improbable to be able to protect against an attack you've never encountered before, Intel is looking to do this by detecting the kinds of escalation behavior that are ubiquitous among many malware programs.
This article is over a month old, voting and posting comments is disabled
RE: And MS shows once again they care
11/7/2011 11:07:47 AM
absolutely. so what if they release a second critical patch refining the first one? Sometimes you have to fix a leak with gum before you can replace the brick. I applaud ms for releasing a quick fix fast to help people, then continue to further refine in the future driving out variants which likely spawn after the fix has even passed through testing. If you wait to make sure you caught every single type out there you give it a chance to further spread and mutate.
"It seems as though my state-funded math degree has failed me. Let the lashings commence." -- DailyTech Editor-in-Chief Kristopher Kubicki
Nasty "Duqu" Worm Exploits Same Microsoft Office Bug as Stuxnet
November 2, 2011, 12:32 PM
Intel Gets EU Approval to Purchase McAfee
January 28, 2011, 9:16 AM
Israel Suspected in Worm Sabotage of Iran's First Nuclear Plant
September 27, 2010, 10:45 AM
Debate Continues Over Whether Microsoft Should Hurry Patches for Vulnerabilities
December 29, 2008, 12:31 PM
Dumb Twitter Controversy: Saudis Whine at Michelle Obama's Lack of Head Scarf
January 27, 2015, 4:57 PM
Google Fixes Homophobic "Bug" in its Translator
January 27, 2015, 2:31 PM
Chris Poole Retires From Role as 4Chan After a Decade of Success, Struggles
January 23, 2015, 1:45 PM
Study Shows People are Dumb as Ever With Passwords, Still Using "123456"
January 20, 2015, 3:19 PM
Site for "Glitter as a Service" Mail Pranks, ShipYourEnemiesGlitter, Launches
January 13, 2015, 2:22 PM
OS X Yosemite Compromises Security by Retrieving Embedded Email Images
January 13, 2015, 11:30 AM
Most Popular Articles
Under the Hood: How DirectX 11.3 and 12 Will Supercharge Windows 10 Gaming
January 23, 2015, 12:34 PM
Microsoft Shows Off Latest Windows 10 Build, Preps it for Next Week Release
January 21, 2015, 2:57 PM
BlackBerry CEO Claims Devs are Violating Net Neutrality by Not Supporting BB10
January 22, 2015, 4:37 PM
2016 Cadillac CTS-V Packs 640 hp Punch with 200 mph Reach
January 23, 2015, 3:25 PM
Will Google Become America's Fifth Major Carrier?
January 22, 2015, 12:42 PM
Latest Blog Posts
Sceptre Airs 27", 120 Hz. 1080p Monitor/HDTV w/ 5 ms Response Time for $220
Dec 3, 2014, 10:32 PM
Costco Gives Employees Thanksgiving Off; Wal-Mart Leads "Black Thursday" Charge
Oct 29, 2014, 9:57 PM
"Bear Selfies" Fad Could Turn Deadly, Warn Nevada Wildlife Officials
Oct 28, 2014, 12:00 PM
The Surface Mini That Was Never Released Gets "Hands On" Treatment
Sep 26, 2014, 8:22 AM
ISIS Imposes Ban on Teaching Evolution in Iraq
Sep 17, 2014, 5:22 PM
More Blog Posts
Copyright 2015 DailyTech LLC. -
Terms, Conditions & Privacy Information