Reported from Australia – The Stuxnet-like Duqu Trojan is infecting computers via a Word document that exploits a previously unknown Windows kernel bug.
Microsoft said hackers exploited a previously unknown bug in its Windows operating system to infect computers with the Duqu virus, which some security experts say could be the next big cyber threat.
“We are working diligently to address this issue and will release a security update for customers,” Microsoft said a short statement.
News of Duqu surfaced in October when security software maker Symantec said it had analysed a mysterious new computer virus discovered by independent researchers that contained code similar to Stuxnet, a piece of malicious software believed to have wreaked havoc on Iran’s nuclear program.
Government and private investigators are racing to unlock the secret of Duqu, with early analysis suggesting that it was developed by sophisticated hackers to help lay the groundwork for attacks on critical infrastructure such as power plants, oil refineries and pipelines.
Senior vice president of McAfee Labs Vincent Weafer later said the virus was the first step in laying the ground for possible attacks onto critical infrastructure. He said it would take a few weeks for security companies to start to detect infections in machines around the world now that they knew what they were looking for.
Details on how Duqu got onto machines emerged for the first time on Tuesday as Microsoft disclosed its link to the infection.
Separately, Symantec researchers said they believe hackers sent the virus to targeted victims via emails with tainted Microsoft Word documents attached.
If a recipient opened the Word document and infected the PC, the attacker could take control of the machine and reach into an organisation’s network to propagate itself and hunt for data, Symantec researcher Kevin Haley told Reuters.
He said some of the source code used in Duqu was also used in Stuxnet, a cyber weapon believed to have crippled centrifuges that Iran uses to enrich uranium.
That suggests that the attackers behind Stuxnet either gave that code to the developers of Duqu, allowed it to be stolen, or are the same people who built Duqu, Haley said.
“We believe it is the latter,” he said.
But other security experts have said they do not believe Duqu was written by the same people as Stuxnet.
“Although the Duqu rootkit has been attributed to the Stuxnet gang, we believe the two e-threats are completely unrelated,” said Catalin Cosoi, head of the Bitdefender Online Threats Lab, in a statement.
“Stuxnet has been successfully reverse-engineered and its code was published online earlier this year. Now, Stuxnet is serving as a source of inspiration for other cyber-criminal gangs. That code is serving as open source for the virus community, basically adding millions of dollars in value to the virus community’s R&D.”
Ty Miller, CTO of Pure Hacking, said was highly likely to be one part of a larger operation.
“Organisations within Australia who run SCADA systems should ensure that all precautions are taken to minimise risk. Since the 0-day exploit is within Word documents, all Word attachments should be treated as malicious until a patch has been implemented.”
Symantec said Word file infection is “just one of potentially multiple installer methods that may have been used by attackers to infect computers in different organisations”.
Just like its predecessor – the Stuxnet rootkit – Rootkit.Duqu.A is digitally signed with a stolen digital certificate that has been revoked in the meantime. This allows it to install itself on both 32- and 64-bit operating systems on Windows platforms ranging from Windows XP to Windows 7.
The Duqu rootkit runs on the computer for 36 days and collects any kind of information entered via the keyboard, including passwords, e-mail or IM conversations. After the “surveillance” period ends, the rootkit gracefully removes itself from the system, along with the keylogger component.
Contact Computer Troubleshooters for more information about how to effectively protect yourself from these kinds of threats.