Windows zero-day vulnerability revealed by Duqu installer

Stephen Withers
Wednesday, 02 November 2011 10:02

Business IT - Security

Duqu discoverer CrySyS has obtained an installer for the malware. An analysis published by Symantec reveals that it exploits a zero-day vulnerability.

According to Symantec, the installer for the Duqu malware recently discovered by CrySyS is a Microsoft Word document that takes advantage of a zero-day kernel vulnerability. Microsoft is reportedly working on a patch.

Symantec went on to say that this particular installer was highly targeted, and "no robust workarounds exist at this time other than following best practices, such as avoiding documents from unknown parties and utilizing alternative software." The good news is that most security software can detect the main Duqu files, if not the installers.

An interesting finding is that Duqu doesn't need direct access to the Internet to communicate with a command and control (C&C) server - instead, it can use a peer-to-peer protocol to connect to another infected computer that can reach the C&C server directly.

While there are commonalities between Duqu and Stuxnet, the security industry is divided on the question whether both were developed by the same people. It has been suggested that Duqu's developers had access to the Stuxnet source code, but that could have been the result of a reverse-engineering effort.

Unlike Stuxnet, Duqu appears to be aimed at extracting information from infected computers.