Zero-day Windows bug blamed for Duqu virus infections

By Lee Kaelin on November 2, 2011, 12:30 PM

Microsoft is on the hot seat over a previously unknown bug in its Windows operating system that's being exploited to infect computers with the Duqu virus, piped by some experts to be the next big cyber threat. The Duqu virus was discovered last month, but at the time security specialists were still investigating how it worked and how it arrived on computers. It was later found to be a sibling of the Stuxnet worm that crippled an Iranian nuclear fuel plant last year.

In a statement on their website, Symantec said, "we contacted Microsoft regarding the vulnerability and they're working diligently towards issuing a patch and advisory. When the file is opened, malicious code executes and installs the main Duqu binaries. The chart below explains how the exploit in the Word document file leads to the installation of Duqu."

Symantec has confirmed that the virus is very close to the Stuxnet worm and even shares some of its source code. The Duqu virus was designed to gather industrial control system data, including engineer's keystrokes, which it compiles for further use in an attack later on. The security firm found the installer file is a Microsoft Word Document (.doc) that exploits a previously unknown kernel vulnerability allowing code execution.

Infected Word documents were worded in such a way as to definitively target the intended receiving organization, according to researchers. No workarounds currently exist for those infected with the virus. "Once Duqu is able to get a foothold in an organisation through the zero-day exploit, the attackers can command it to spread to other computers," Symantec wrote.

So far, Duqu appears to have infected approximately six organizations in France, Netherlands, Switzerland, Ukraine, as well as India, Iran, Sudan and Vietnam. Other security vendors have reported infections in Austria, Hungary, Indonesia, Iran (with different infections to those reported by Symantec) and the UK.

Microsoft acknowledged the problem with its security response team posting the following statement on Twitter: "we are working to address a vulnerability believed to be connected to the Duqu malware."




User Comments: 13

Got something to say? Post a comment
Guest said:

anyone notice how China never gets hit with these corporate and national level attacks.. rest of the world needs to grow some balls and take these chinese to task.. hard,firewall the whole country.

Win7Dev said:

The US and European countries prefer to stick to more legal types of gathering information and ways that are much less traceable. Anything you put on a hard drive stays there unless you melt the hard drive in a furnace at 10,000 degrees (F). You could always use one of those eraser programs, but you can obviously tell something was wiped then, showing an intrusion was made.

tehbanz tehbanz said:

Oh yeah, time to make the big $$$ off frantic end users scared shitless about the Duqu virus.

example1013 said:

More like MS loses money from having a critical exploit that allows code execution in their damn word processing program.

gwailo247, TechSpot Chancellor, said:

And I was so close to having my nuclear power plant go online...

Mindwraith said:

Guest said:

anyone notice how China never gets hit with these corporate and national level attacks.. rest of the world needs to grow some balls and take these chinese to task.. hard,firewall the whole country.

it must be nice to see the world in such a blissfully simple way. If anything, America needs to get off its ass and try to catch up with China in terms of IT expertise.

NTAPRO NTAPRO said:

example1013 said:

More like MS loses money from having a critical exploit that allows code execution in their damn word processing program.

I was thinking the same thing :/

spydercanopus spydercanopus said:

CIA written all over it

PinothyJ said:

How is this a virus?

Have definitions changed since I left my computer to grab a beverage...

Archean Archean, TechSpot Paladin, said:

Win7Dev said:

The US and European countries prefer to stick to more legal types of gathering information and ways that are much less traceable. Anything you put on a hard drive stays there unless you melt the hard drive in a furnace at 10,000 degrees (F). You could always use one of those eraser programs, but you can obviously tell something was wiped then, showing an intrusion was made.

Partially true, i.e. they prefer to remain 'less traceable' if not entirely 'un-traceable'. I don't buy that argument that no western country get involved in such practices, simply because they wouldn't want to get caught by surprise or something.

Guest said:

I agree, we should put a strong checks for known malware, hacking countries and allow only legitimate traffic. If a hacking is found, ban those IPs and penalize the countries for their failure.

caravel said:

Anything you put on a hard drive stays there unless you melt the hard drive in a furnace at 10,000 degrees (F).

This is quite simply a myth propagated (obviously quite successfully) by certain unscrupulous companies wishing to profit from unnecessary data shredding and "multiple pass" disk wiping shitware utilities.

If you do a simple zero fill of a hard disk, or use the manufacturer's free utility to perform a low level format, the data is gone for good. It doesn't really matter who you call, whether it's the FBI, CIA, MI6 or Ghostbusters, the data is not coming back, because you have changed every 1 to a 0. There is no subliminal or residual data layer, if there were, hard disk manufacturers would have exploited it decades ago to create multi layer discs with vastly larger capacities. Zero fill is enough.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.