backtop


Print 18 comment(s) - last by PitViper007.. on Nov 8 at 8:59 AM

Worm is exploiting zero-day exploit in the TrueType Windows component

The Duqu [dyü-kyü] worm, containing parts of the Stuxnet code, is a sophisticated piece of malware that's wreaking havoc on Windows machines worldwide.  The authors appear to be specially targeting business and governmental entities in what may be a cyberespionage or cybersabotage attempt.  

A Fix for Duqu:

Symantec warns:

Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors, or those that have access to the Stuxnet source code, and the recovered samples have been created after the last-discovered version of Stuxnet. Duqu’s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in  the industrial sector, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on various industries, including industrial control system facilities.

The malware piggybacks inside seemingly legitimate documents from Microsoft Corp.'s (MSFT) Word application.  Once infected, the malware takes complete control of the affected system and accesses the address book, sending out infected Word documents to your contacts along with brief, innocuous seeming messages.  Microsoft listed the threat as "severe".

Usually Microsoft has a pretty fast turnaround, when it comes to addressing such serious threats, and it did not disappoint here.  Just days after the zero-day vulnerability was discovered, Microsoft has published new details of what's going on, along with a temporary fix to remove Duqu.

According to Microsoft's TechNet Security TechCenter and a post in the Microsoft Knowledge Base the Duqu virus is exploiting a zero-day vulnerability in the Win32k TrueType font-parsing engine.  The vulnerability allows arbitrary code to be executed in kernel mode (a so called "privileges escalation" exploit).

Duqu code
A peak at the code of Duqu's malware payload [Source: Symantec]

Microsoft has also released a QuickFix tool, available in the above linked Knowledge Base post, which scrounges around and removes the vestiges of known Duqu variants 

Symantec Corp. (SYMC) -- one of the world's largest security firms -- is currently working with Microsoft to combat the threat and identify variants of the growing malware threat.  The company has published a detailed report on Duqu, which is available here [PDF].

Duqu CaC
Symantec has chronicled Duqu's sophisticated remote command & control (CaC) scheme. [Source: Symantec]

Symantec researchers say they first received a copy of Duqu from the Budapest University of Technology and Economics (BME).  BME obtained that piece on Oct. 14.

Related Developments:

Some argue that Microsoft rushes patches for vulnerabilities to market too fast.  They say that rushed patches often fail to completely protect against various variants of a malware threat, hurting the user in the long run.  Still, the majority of security firms seem supportive of Microsoft's approach.

In related news chipmaker Intel Corp. (INTC) is working with recent acquisition McAfee to include hardware-level protection against escalation of privileges attacks.  The technology seems very promising as it could protect against so-called zero-day vulnerabilities like the TrueType parsing exploit used by Duqu.  While it might seem improbable to be able to protect against an attack you've never encountered before, Intel is looking to do this by detecting the kinds of escalation behavior that are ubiquitous among many malware programs.

Sources: TechNet, KnowledgeBase, Symantec



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

By Tony Swash on 11/7/2011 1:33:11 PM , Rating: 0
quote:
quote:
In the real world 99.99% of malware affects Windows only PCs

do you even realize that means a ratio of 1:10,000? naive much?


What the fuck are you talking about :)

99.99% of malware runs on Windows. The meaning seems plain to me.

quote:
In the real world millions of Windows PCs are infected with malware

...and i could say the same about macs... (although your 1:10,000 ratio seems contradictory to that)


No you can't. Actual infections of Macs in the real world by malware are vanishingly small in number.

quote:
how's it feel to make apple consumers look a little bit dumber each day?


Why - because they prefer well designed kit, with a modern productive OS and they want to avoid Windows malware? Sounds pretty clever to me. It's the hayseeds who buy Windows PCs I feel sorry for.


"This is from the DailyTech.com. It's a science website." -- Rush Limbaugh














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki