If you were hit by Duqu, you must be important

David Heath
Tuesday, 22 November 2011 13:45

Business IT - Security

Kaspersky Labs' analysis of the Duqu malware shows it to be highly targeted and shows very clearly that it fits any reasonable definition of 'Advanced Persistent Threat.'

Analysis of the behaviour of the ongoing Duqu infection across the twelve sites so-far identified has found that each of the intrusions has been customised to the victim.  Clearly the attacker was specifically interested in each of those organisations.

In each case, the intrusion took the form of an infected MS-Word file containing a 0Day attack.  In this case, the attack was based on a specially modified font included in the document which took advantage of a vulnerability in the Windows font-parsing engine.

The email containing the document was specifically addressed to a suitable person in the organisation and the document's filename was built around the name of the organisation.

The report also notes that the successful intrusion was actually the second attempt at that organisation.  After the infection, later analysis discovered a previous attempt in the targeted user's email junk folder.

Once the document was opened it did absolutely nothing for at least 10 minutes.  Following that time, it waited for a quiet time (no mouse or keyboard) before dropping the full payload onto the affected PC.

Kasperski warns, "It is important to understand that the "remediate and forget" approach does not work for Duqu. Any infection attempt signals that it was important for cybercriminals to gain control over a certain system, so there'd be a high chance of repeated attacks using various other methods."

Read about the multiple command and control servers discovered on the next page.