Duqu Using Zero-Day To Spread

Symantec reports that the group that originally uncovered the Duqu malware binaries has located an installer for the threat.  No one had been able to recover the installer as it would delete itself after attempting infection, so it was unclear how Duqu was infecting systems.

The installer file is apparently a legitimate Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability in Windows allowing code execution.  The Word document is targeted towards the intended receiving organization, and the shell-code only installs during a specific time window. 

Microsoft is currently working on a patch and advisory for release ASAP.  When the Word file is opened, the exploit executes and installs the main Duqu binaries.  The chart below from Symantec’s website explains how the exploit in the Word document file eventually leads to the installation of Duqu.


Once Duqu gets into an organization, it can be commanded to spread to other computers through a variety of additional exploits and protocols. The C&C server connectivity is equally flexible, using P2P and other protocols to bridge security zones and other Internet connectivity controls.