New details are emerging regarding the Duqu worm. CrySyS Labs–the team that originally discovered the Duqu malware to begin with–has intercepted one of the files that actually installs the malware on target systems. It seems that Duqu is exploiting a zero day vulnerability in Microsoft Word to spread.
According to the researchers at CrySyS, Duqu installs using a Microsoft Word zero day exploit that targets a kernel vulnerability allowing the malware to install. When a victim opens a malicious Microsoft Word document, the main elements of the Duqu worm are installed on the compromised system.
The fact that security researchers were able to recover and analyze one of the dropper files used to install Duqu is encouraging, but researchers also caution that this may not be the only attack vector. The recovered dropped file was intended to target one specific organization, and it had a built-in eight-day expiration window. It is possible that other Duqu attacks could use variants of malicious Microsoft Word documents, or they could use entirely different means to accomplish the initial compromise.
Once the Duqu worm infects the target machine, it seeks out contacts in email clients like Microsoft Outlook or Mozilla’s Thunderbird and continues to propagate itself as a Microsoft Word file attachment. Because it the email comes from a known–and ostensibly trusted–source, it has a higher chance of being opened by the new victim.
Even in situations where systems are not connected to the Internet at all, Duqu is able to spread and propagate. A blog post from Symantec explains that the Duqu worm has also been found to be directed to spread internally across SMB network shares.
Symantec says that in instances where systems did not have an Internet connection to communicate with the Duqu command and control servers, those systems instead communicated by using a clever file sharing protocol to communicate by proxy through other compromised machines that have an Internet connection.
The Duqu worm is built on the same core code as the Stuxnet worm that plagued the Internet a year ago. That threat specifically targeted programmable logic controllers (PLCs) used in Iranian nuclear power facilities. It was widely rumored to have been developed by United States or Israeli military or intelligence with the specific intent of compromising Iranian nuclear capabilities.
Although Duqu seems to be built on the same foundation as Stuxnet, it does not seem likely that it was developed by the same team. Duqu seems to be actually targeting United States assets and allies.
Microsoft is reportedly working diligently to publish a security advisory and develop a patch to address the zero day flaw exploited by Duqu.