Zero-day Exploit Duqu has Microsoft posting hot fix

In the past few days a zero-day exploit named Duqu has surfaced.  It is a word file containing malware that exploits a previously unknown flaw in windows that was sent to one if its victim companies, but still doesn’t provide much more information on what Duqu is up to or who all should be worried about it.  Duqu was found in some European organizations and seemed to be going after Certificate Authorities (CAs) and industrial control-system vendors.

Microsoft and Symantec who are studying the malware have not shared any dropper information with other virus companies.  Droppers are typically very small, are designed to evade detection by anti-virus and can sometimes contain exploit code used to inject themselves onto the target computer. Microsoft is working on a fix but knows it will not be ready for patch Tuesday so they released a hot fixed November 3, 2011.   Even if you’re not a certificate authority or a manufacturing firm — the two industries cited publicly so far as having Duqu victims — security experts say there are some steps you can take to help protect your infrastructure from this new targeted attack.

1)      Install the “hot fix” from Microsoft and Workaround .  Microsoft has posted security advisory 2639658 ( http://technet.microsoft.com/en-us/security/advisory/2639658 ) to address the recently disclosed Windows kernel vulnerability (CVE-2011-3402) exploited by the Duqu malware.  The flaw lies in the Win32k TrueType font parsing engine, according to Microsoft: “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware,” Microsoft said in an advisory today.

2)      Run updated anti-malware – Not all antivirus products can detect Duqu yet, but security experts say to keep updating to be sure you get protection for Duqu as soon as it’s released. They also highly encourage people not to click on attachments in email that seems suspicious, even if it comes from someone they know.

3)      Scan or Filter Word Documents from unknown sources – One handy tool is Microsoft’s MOICE tool (Microsoft Office Isolated Conversion Environment), ( http://support.microsoft.com/kb/935865 ) which checks for malformed Word documents which is how Duqu starts: with a malformed Word file. It’s playing a trick on Microsoft Word to run this code.

4)      Monitor for traffic from potentially infected machines – Be on the lookout for machines trying to connect to a Duqu command-and-control server or trying to resolve to a Duqu-related domain. Two command and control servers have been taken down thus far, but there are likely new ones. The IP addresses that were found and ultimately shuttered: 206.183.111.97 and 77.241.93.160.

5)      W atch for any Port 443 traffic that’s unencrypted, and keep an eye out for ~DQ files – Watching for unencrypted traffic on the HTTP-S or SSL-based traffic port can help detect malware, including a possible Duqu infection. If it’s not encrypted it’s probably bad. Meanwhile, a Duqu-infected file may start with “~DQ” in the Windows temporary file directory, so be on the lookout for that as well.