Duqu Malware Leverages a Zero Day Windows Kernel Flaw

Over the past year, I spoken a lot about Advanced Persistent Threats (APT), like Stuxnet, at presentations I’ve given around the world. In fact, one of my security predictions for this year concerned the increase in APTs (both as a true threat, and an overused term). If you’ve paid attention to security news over the past few weeks, you’ve probably read about a new piece of malware that fits the APT category, called Duqu.

In a nutshell, Duqu is the successor to Stuxnet. It shares much of the same source code and seems to come from the same authors. According to Symantec, Duqu seems to be targeting governmental entities, system manufacturers, and the industrial infrastructure industry to gather intelligence data and assets, such as design documents. Experts suspect Duqu’s authors plan to use this intelligence to further future attacks. If you’d like to learn more about Duqu (it’s definitely interesting), see my reference links below. However, today I’d like to focus on the most recent Duqu related development; the discovery of a zero day Windows kernel vulnerability in the Duqu installer.

According to Symantec, CrySys (a group that originally discovered Duqu) recently recovered the actual installer for the Duqu malware. They learned that the installer file is a Word document that leverages a previously unknown zero day Windows kernel vulnerability to install the malware onto a victim system. Symantec and CrySyS shared this information with Microsoft, and Microsoft has already released an early Security Advisory reacting to the issue. According to Microsoft, the zero day vulnerability involves a flaw in the way the Windows Kernel-mode driver parses TrueType fonts. This may sound surprisingly similar to the Kernel-mode TrueType-related Denial of Service (DoS) vulnerability Microsoft fixed today, but it’s actually a completely separate issue. Microsoft still has not release a patch for this serious zero day vulnerability, but they are working on one now.

Microsoft has suggested a workaround that could mitigate the risk of this zero day flaw. In Windows, you can prevent access to the a specific DLL ( t2embed.dll). Keep in mind, doing this actually breaks applications that rely on embedded fonts, causing them to not display certain content properly. However, it also prevents the Duqu installer from working. If you’re especially concerned about Duqu, you may want to apply the FixIT workaround Microsoft posted in this Knowledge Base article.

That said, there may be a few easier ways to help keep Duqu out of your network:

• Use up-to-date antivirus (AV): AV companies now have some samples of Duqu, so they also have signatures to prevent some strains of this malware. That said, APT authors use the most advanced attack techniques, and often repack or re-encrypt their malware, which sometimes allows it to evade AV. Unfortunately, you can’t totally rely on traditional AV with APT threats.
• Inform your users of suspicious Word documents: A simple way to avoid Duqu is to inform your users of the threat, and warn them not to interact with unsolicited Word documents.

The LiveSecurity team will continue to follow Duqu developments, and will inform you of any new developments, including when Microsoft releases a patch for the zero day Kernel flaw. — Corey Nachreiner, CISSP (@SecAdept)

References:

• Duqu Wikipedia Article
• W32.Duqu: The Precursor to the Next Stuxnet, Symantec
• Duqu Status Updates, Symantec
• Threatpost Duqu article
• Threatpost Duqu update