New info shows Duqu installs itself by a zero-day exploit—an Windows kernel level hole. Where’s this hole? Microsoft doesn’t know. Patch Tuesday is coming up and many aren’t holding their breath to see a Duqu patch in the mix. Where does that leave you?
The new data on Duqu comes after researchers got their hands on an installer file. It’s a Word doc that exploits the unknown weakness in Windows, letting the malware install.
Duqu made the news a couple of weeks ago, with Symantec first reporting it was built for cyber espionage. Its mission was to gather intelligence info from targeted industries.
Weeks later the malware is still a bit of a mystery. Is it Stuxnet’s sequel? A spinoff? Or a brand new breed? What exactly is it after? No one knows for sure.
The installer found shows it’s target was tailored to attack one specific company. That may sound like good news to you, but that’s only one installer. There could be many more out in the wild, all custom tailored to other companies.
Duqu has some tricks up its sleeve too. It uses SMB shares to spread internally, infecting machines not even hooked up to the web. These machines can still get instructions from Duqu homebase—via proxy with machines that are connected to the web. Sneaky!
Microsoft is working on a fix, but when this will appear is still unknown. This makes the need for a layered security approach even more crucial. The combination of anti-virus, application whitelisting and instant system restore software will protect you from Duqu. Whatever its intention is.