Duqu Malware Marches Through Windows Kernel Flaw
Nov 2, 2011 11:07 AM PT
The Duqu malware that became widely known last month is exploiting a zero-day vulnerability in the Windows kernel to infect systems, according to the Hungarian group CrySyS.
An installer file for the Trojan was previously unknown, but now CrySyS and security firm Symantec are reporting that the main Duqu binaries are released onto a targeted system when a Word file containing the malware is opened. The file was specifically designed to open during an eight-day window in August.
There is no known workaround for the vulnerability, which could be one of several methods of infection Duqu employs.
Microsoft has acknowledged the problem and said it's working on a solution.
"Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process," Jerry Bryant, group manager of response communications from Microsoft Trusthworthy Computing, told TechNewsWorld.
New Can of Worms
An exploitation of a kernel-level vulnerability, rather than a user-level vulnerability, makes Duqu more threatening because the Trojan can then take hold in an organization to issue commands or modify the system code. Sneaking through a user-level vulnerability, by contrast, would require user privileges like security clearance or passwords.
"The attack can now elevate user privileges ... so that the hacker can take over the Windows device and use it to execute whatever code it wants to from a remote location. At the same time, it could appear to the server to be an authorized user with high levels of previously granted privileged access," Avivah Litan, security analyst at Gartner, told TechNewsWorld.
Though the discovery tells researchers more about the nature of Duqu, the Trojan remains more elusive now than it did before.
"Having kernel-level privileges enables greater capabilities and is better able to evade detection," Mike Geide, senior security researcher at Zscaler ThreatLabZ, the research arm of cloud security company Zscaler, told TechNewsWorld.
Kernel-level capabilities means Duqu is able to attack using multiple resources and fronts.
"It also opens up the attack vectors that Duqu can exploit, so that multiple applications and methods can be used in a particular attack scenario," said Litan.
Similar to Stuxnet
Duqu received attention weeks ago due to its similarities to the Stuxnet worm that infiltrated several industrial control units last year, most notably in Iran's Natanz nuclear facility. Security researchers believe Duqu could be acting as a precursor to another Stuxnet-like attack, gathering information that could be used in a pinpointed cyberattack.
Stuxnet was especially alarming to security professionals because of the worm's wide scope, its technical capabilities and its specific targets. These characteristics led many authorities to suspect it was backed by operatives with possible connections to the American or Israeli governments.
Duqu shows similar technical prowess, but the funding behind a cyberattack such as Duqu's may not necessarily mean it's backed by a nation-state.
"It's hard to say how much funding this requires. I imagine these types of attacks require very sophisticated and advanced skills and abilities in software design and engineering, organization and execution, but not necessarily a ton of money for development. The cost of capital is rather low in cyberattacks," said Litan.
The similarities to Stuxnet, especially the malwares' taste for highly targeted attacks, are still difficult to ignore.
"Stuxnet, too, leveraged zero-day vulnerabilities in Windows, most notably the LNK vulnerability. In addition to the technical capabilities of Duqu, other aspects indicate that there is likely an organized group behind this threat, such as the specific targets of interest with the information stealing goals," said Geide.