Duqu Malware Exploits Windows Kernel Vulnerability


The Duqu malware that operates like an electronic scout gathering information for a more serious attack infected computers by exploiting an unknown vulnerability in Microsoft Windows, an Hungarian university lab reported Tuesday.

The Laboratory of Cryptography and System Security at the Budapest University of Technology and Economics was the first organization to recover a Duqu installer, providing more insight into the workings of the malicious code discovered last month. Experts believe other types of installers were likely used to infect computers.

The recently recovered file is a Microsoft Word document (.doc) capable of exploiting a flaw in the Windows kernel. Micosoft was notified of the vulnerability and was working on a patch and an advisory, according to security vendor Symantec.

The university lab, known by the acronym CrySyS, said in a statement that Duqu is a "threat nearly identical to Stuxnet." That similarity is what separates Duqu from thousands of other viruses and trojans prowling the Internet.

Stuxnet, first discovered in June 2010, targeted Siemens industrial equipment running Windows. Nearly 60 percent of infected systems worldwide were in Iran, where the malware is believed to have damaged control systems in the country's nuclear facility. While Duqu is capable of infecting systems and gathering information, it lacks the destructive muscle of Stuxnet. "Our conclusion today is that Duqu was made to gather information, but does not do any type of cyber sabotage," Kevin Haley, director of product management for Symantec, said.

Rather than destroy systems, Duqu's mission is to steal documents from within a computer system and send them to a command and control server. Once enough information is gathered, hackers could use it to launch a more serious attack. "That's definitely possible," Haley said, while emphasizing that there's no proof.

What security experts do know is that at least six organizations in eight to 12 countries had Duqu-infected computers and that a command-and-control server was running in India and in Belgium, where the computer was recently taken offline, according to Symantec. Duqu has not been reported in the United States.

Due to an agreement with the U.S. Computer Emergency Readiness Team, Symantec would only say that Duqu was found in the systems of suppliers of industrial factories. Symantec had said last month that Duqu appeared to target a "limited number" of manufacturers of industrial control systems. CERT is the go-to agency within the Department of Homeland Security for cyber security.