DuQu Resurfaces

Back in October, I posted a note here about a new malware variant called DuQu.  At the time, it was a bit of a mystery; it had a number of similarities to Stuxnet, but it did not appear to carry any malicious payload.   There was some speculation that DuQu was intended primarily as an intelligence-gathering tool, and might be the precursor of a more serious attack.

Recently, a new version of DuQu has been found, which uses a previously unreported (“Zero Day”) flaw in the Microsoft Windows kernel to install the malware.  As reported in an article at the ThreatPost security news, published by Kaspersky Labs, the installer to date has come in the form of a Word document, typically attached to an E-mail message.

The installer, discovered by researchers at the Hungarian lab that first found Duqu, is a Word document that, once opened, exploits the kernel flaw and then installs the Duqu code on the machine.

Microsoft has issued a Security Advisory for this flaw, which has been assigned CVE-2011-3402.  The vulnerability that the installer exploits is in the TrueType font parsing engine, and apparently affects all supported versions of Windows.  Successfully exploiting the vulnerability would allow the attacker to run arbitrary code in kernel mode (the highest privilege level).  Exploiting the vulnerability, according to Microsoft, cannot be done automatically via E-mail; the user must open the attachment.  (Other attack vectors, such as a malicious Web page, may also be possible.)

Microsoft says it is working on a patch to fix the flaw.   There is a mitigating action suggested in the Security Advisory, which essentially disables the True Type engine; in consequence, documents that use embedded fonts will not display correctly.  Microsoft’s Knowledge Base article on the vulnerability has an automated “Fix It for Me” tool available to install the mitigation.

The security firm Symantec has posted an updated version of their analysis of DuQu [PDF].

Update Saturday, 5 November, 14:20 EDT

Although, as far as I know, no timetable for providing a patch has been published, the indications are that a patch will not be ready for inclusion in the security update bundle on Tuesday, November 8.

2 Responses to DuQu Resurfaces

  1. […] One of the bulletins (MS11-084) concerns a vulnerability in the kernel  mode handling of True Type fonts; however, this does not appear to be the flaw exploited by the recent DuQu malware variant. […]

  2. […] MS11-087, addresses the flaw in the TrueType kernel mode drivers that has been exploited by the DuQu malware.  This bulletin also supersedes MS11-077, issued in […]

%d bloggers like this: