• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Duqu Malware Leverages a Zero Day Windows Kernel Flaw

November 8, 2011 By Corey Nachreiner

Over the past year, I spoken a lot about Advanced Persistent Threats (APT), like Stuxnet, at presentations I’ve given around the world. In fact, one of my security predictions for this year concerned the increase in APTs (both as a true threat, and an overused term). If you’ve paid attention to security news over the past few weeks, you’ve probably read about a new piece of malware that fits the APT category, called Duqu.

In a nutshell, Duqu is the successor to Stuxnet. It shares much of the same source code and seems to come from the same authors. According to Symantec, Duqu seems to be targeting governmental entities, system manufacturers, and the industrial infrastructure industry to gather intelligence data and assets, such as design documents. Experts suspect Duqu’s authors plan to use this intelligence to further future attacks. If you’d like to learn more about Duqu (it’s definitely interesting), see my reference links below. However, today I’d like to focus on the most recent Duqu related development; the discovery of a zero day Windows kernel vulnerability in the Duqu installer.

According to Symantec, CrySys (a group that originally discovered Duqu) recently recovered the actual installer for the Duqu malware. They learned that the installer file is a Word document that leverages a previously unknown zero day Windows kernel vulnerability to install the malware onto a victim system. Symantec and CrySyS shared this information with Microsoft, and Microsoft has already released an early Security Advisory reacting to the issue. According to Microsoft, the zero day vulnerability involves a flaw in the way the Windows Kernel-mode driver parses TrueType fonts. This may sound surprisingly similar to the Kernel-mode TrueType-related Denial of Service (DoS) vulnerability Microsoft fixed today, but it’s actually a completely separate issue. Microsoft still has not release a patch for this serious zero day vulnerability, but they are working on one now.

Microsoft has suggested a workaround that could mitigate the risk of this zero day flaw. In Windows, you can prevent access to the a specific DLL ( t2embed.dll). Keep in mind, doing this actually breaks applications that rely on embedded fonts, causing them to not display certain content properly. However, it also prevents the Duqu installer from working. If you’re especially concerned about Duqu, you may want to apply the FixIT workaround Microsoft posted in this Knowledge Base article.

That said, there may be a few easier ways to help keep Duqu out of your network:

  • Use up-to-date antivirus (AV): AV companies now have some samples of Duqu, so they also have signatures to prevent some strains of this malware. That said, APT authors use the most advanced attack techniques, and often repack or re-encrypt their malware, which sometimes allows it to evade AV. Unfortunately, you can’t totally rely on traditional AV with APT threats.
  • Inform your users of suspicious Word documents: A simple way to avoid Duqu is to inform your users of the threat, and warn them not to interact with unsolicited Word documents.

The LiveSecurity team will continue to follow Duqu developments, and will inform you of any new developments, including when Microsoft releases a patch for the zero day Kernel flaw. — Corey Nachreiner, CISSP (@SecAdept)

References:

  • Duqu Wikipedia Article
  • W32.Duqu: The Precursor to the Next Stuxnet, Symantec
  • Duqu Status Updates, Symantec
  • Threatpost Duqu article
  • Threatpost Duqu update

 

 

 

Share This:

Related

Filed Under: Security Bytes Tagged With: APT, Duqu, stuxnet

Comments

  1. BOATNER says

    July 11, 2014 at 9:13 pm

    A person effectively assist for making really posts I’d state. Option brand new I personally been to your internet-site site thereby way? My spouse and i shocked together with the analysis you’ve made to make that publish amazing. Superb method!

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use