According to the latest buzz in the field of technology, security researchers of CrySyS laboratory, located in Hungary, have recently found an installer for the Stuxnet-inspired threat, Duqu. It has already caused some trouble for the security industry in the last few weeks. It has also been exploiting the susceptibility of Windows Kernel.
CrySyS, or laboratory of Cryptography and System Security from Budapest University of Technology and Economics, was the first in identifying the malware present in Duqu like the malicious driver and DLL present on infected systems.
As quoted by CrySyS researchers, “Our lab [...] pursued the analysis of the Duqu malware and as a result of our investigation; we identified a dropper file with an MS 0-day kernel exploit inside.”
The team also added, “We immediately provided competent organizations with the necessary information such that they can take appropriate steps for the protection of the users.”
The samples provided by CrySyS of the Duqu infected computers were analyzed by Symantec. According to the company, computers get infected through Duqu by a Microsoft Word Document which makes use of the zero-day windows vulnerability, when opened.
Most of the infected documents reach the companies with the aid of social engineering attack launched against their employees. Symantec researchers pointed out that, “The Word document was crafted in such a way as to definitively target the intended receiving organization.”
Microsoft has already been informed about the issue and is presently trying its level best to rectify it. However, in the meantime, it is advised to not open any document received from unknown sources.
It remains one of the core issues and since only one installer has been found so far, researchers haven’t included any other infection vectors apart from .doc files. Researchers have found that Duqu is also capable of infecting other computers by copying itself to numerous folders on the network.
Interestingly, Duqu also has a fallback mechanism which allows it to kick in without being detected by an Internet connection. This also involves downloading the updated configuration files from numerous other infected systems on the network.
The security researchers have also pointed out “Duqu creates a bridge between the network's internal servers and the C&C [command and control] server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies.”
A new command and control server hosted in Belgium has also been recently found. This is a new Duqu C&C server which was recently recognized after the original one present in India was shut down. This clearly indicates that whosoever is behind this malware is completely monitoring the whole situation and reacting accordingly.
Till date, Symantec has confirmed bugs from numerous countries including France, Netherlands, Switzerland, Iran, Ukraine, Sudan, India and Vietnam. On the other hand, other vendors have also confirmed the presence of Duqu in Austria, Indonesia, U.K and Austria. This points out to the fact that Duqu has been operating on a global level.