Investigators seeking to uncover additional info concerning the Duqu Trojan have discovered the installer, yielding new clues as to how systems are infected by the malware.
Instead of speculating, we encourage all professional organizations to improve the joint technique of finding an answer, since strong international collaboration will remain to play a key role.Laboratory of Cryptography and System Security (CrySyS)
Researchers at Budapest-based Laboratory of Cryptography and System Security (CrySyS) detected the installer, a malicious Microsoft Word document, and discovered that Duqu includes a dropper file that targets a Microsoft Windows kernel zero-day flaw. When the file is opened, the malicious code executes, quietly installing the malicious Duqu files.
The discovery is important because it forces Microsoft to start developing a patch for the flaw. While no additional workarounds exist, enterprises can bolster defenses by educating end users about suspicious attachments.
Symantec issued a Duqu Trojan status update, explaining how the cybercriminals behind the malware pull off a successful attack. The corporate warns other attack vectors may exist.
“The Word document was crafted in this type of way as to definitively target the intended receiving organization,†Symantec said. “Furthermore, the shell-code ensured Duqu would only be installed during an eight-day window in August.â€
Symantec said organizations that consider Duqu a threat should follow best practices and avoid documents from unknown parties. “Fortunately, most security vendors already detect and block the main Duqu files, thereby preventing the attack,†Symantec said.
Symantec issued information about Duqu Oct. 14, describing how the Trojan contains one of the same source code utilized by the Stuxnet worm. Duqu incorporates a different payload. Instead of disrupting industrial processes, it's been targeted at industrial equipment manufacturers and collects details about the manufacturer's systems and other proprietary data. Symantec, that's working closely with the CrySyS researchers, warned that Duqu may be a precursor for a way more dangerous attack.
Duqu infections look like limited, Symantec said. Once Duqu infects a system, it attempts to contact a command-and-control server where attackers can install additional malware designed to record data and steal other information. While some infections had the power to remotely contact a C&C server, Symantec said other infections didn't contain the communications functionality and instead used a file-sharing protocol to hook up with a pc that could contact the remote server for instructions.
The Duqu configuration files on these computers were instead configured to not communicate directly with the C&C server, but to make use of a file-sharing C&C protocol with another compromised computer that had the power to hook up with the C&C server.
“Duqu creates a bridge between the network's internal servers and the C&C server,†Symantec said. “This allowed the attackers to access Duqu infections in secure zones with the aid of computers outside the secure zone getting used as proxies.â€
Microsoft has not yet released an advisory indicating when it might have a patch able to plug the kernel vulnerability. The software giant's next scheduled security updates are scheduled for 1 p.m. ET, Nov. 8.
CrySyS, the organization that discovered Duqu and conducted the initial analysis of the malware, said it will continue to analyze the Trojan and release information to the safety community. The research team cautioned security vendors to restrict speculation.
“Instead of speculating, we encourage all professional organizations to reinforce the joint means of finding an answer, since strong international collaboration will remain to play a key role,†the research team said at the CrySyS website.
According to Reuters, last week investigators seized the pc equipment from a knowledge center in India believed to be associated with the Duqu malware. Â
Nessun commento:
Posta un commento
Comments links could be nofollow free