Not much was known about the threat when the Duqu malware was first discovered in September by Hungarian security firm CrySys, and shared with several American organizations shortly thereafter. It was unclear who was responsible for the new cyberthreat, as well as who and what it was targeting. Still, experts were in agreement that it was bad and another addition to the next-generation of cyberattacks.
Now, as analysts and data security researchers have had some time to break down Duqu, more details about the malware are coming to light. Most recently, a data management firm that has been analyzing Duqu announced that CrySys has discovered the Trojan exploits a previously undetected zero-day vulnerability in the Windows kernel, a central component of the popular operating system.
Duqu, which is remotely executable, according to the company, is installed on a victimized machine through a malicious Microsoft Word file designed to take advantage of the Windows kernel flaw. The Trojan then goes to work on the code execution vulnerability.
"Thus far, no-one had been able to recover the installer for the threat and therefore no-one had any idea how Duqu was initially infecting systems. Fortunately, an installer has recently been recovered due to the great work done by the team at CrySys," the American firm said in a recent company blog post.
Much like the Stuxnet worm, which was discovered last summer and is widely believed to be a Duqu predecessor, Duqu is thought to be the work of a sovereign government. That notion was reinforced recently when another data management firm detected infections in both Iran and the Sudan, two countries that serve as lightning rods on the international stage, PC World reported.
"One incident involved two infected computers located on the same network, with one containing two separate Duqu drivers," PC World reported. "In a separate case, the network where the infected computers resided recently registered two attacks that targeted a vulnerability exploited by both Stuxnet and the Conficker worm."
That report also stated that Duqu itself has three main components. They are a kernel driver that injects a rogue library into the infected systems processes, the rogue library that is responsible for communicating with the command-and-control server and a configuration file.
Researchers long ago concluded that Stuxnet, from which Duqu borrows code and functionality, was meant to be used as an industrial spy to gather information on the Iranian nuclear program. It could could be that Duqu was created for the same purpose.
Meanwhile, according to Computerworld, Microsoft is "working diligently" to resolve its role in this new Internet security crisis, Jerry Bryant, Microsoft's Trustworthy Computing group manager, said.
"Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware," he told the news provider in an email. "The company will issue a security update to address the vulnerability "through our security bulletin process."
Researchers with the Dell SecureWorks Counter Threat Unit also recently added another twist to the Duqu saga, according to Help Net Security, by revealing they they don't think the same author is behind both Stuxnet and this latest threat. Many experts believed that was case due to the overwhelming similarities between the two. However, it was also noted that once Stuxnet was released to the wild it was there for anyone to break down and recreate.
The Dell CTU division also said it doesn't believe that Duqu was created with the same aim in mind as Stuxnet. That's because it does not feature code intended for supervisory control and data acquisition as its predecessor did, according to Help Net Security.
Data Security News from SimplySecurity.com by Trend Micro