Duqu exploited Windows kernel vulnerability

Posted by Emma Woollacott

The Duqu virus which was recently discovered to have been hitting industrial systems in the same manner as Stuxnet did so by exploiting a Windows kernel zero day vulnerability, it has emerged.

Researchers from the CrySyS laboratory in Hungary say the installation file used to infect systems was a malicious Microsoft Word document designed to exploit a previously unknown zero-day code execution vulnerability in the Windows kernel.

Unfortunately, says Symantec, there's no workround at the moment.

Once Duqu has gained a foothold in an organization, it can be remotely commanded to spread by using the Server Message Block protocol used for file and printer sharing functions.

"Interestingly though, some of the newly infected computers did not have the ability to connect to the Internet and thereby the command-and-control (C&C) server," says Symantec.

"The Duqu configuration files on these computers were instead configured not to communicate directly with the C&C server, but to use a file-sharing C&C protocol with another compromised computer that had the ability to connect to the C&C server."

Duqu could thus create a bridge between the network's internal servers and the C&C server, allowing the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies.

Symantec says there's evidence that Duqu was created by the same people as Stuxnet, the worm that was used to attack Iran's nuclear facilities last year.

Duqu appears, says Symantec, to have infected half a dozen organizations in eight countries. After a C&C server in India was indentified and shut down, a new one,hosted in Belgium, was identified and has now been shut down.