Microsoft is rushing towards a security update release after it was disclosed that the Duqu infection exploits a previously unknown vulnerability in its Microsoft Word office application. Security experts have been hailing Duqu as an evolution in cyber threat that bore similar code to Stuxnet. The Stuxnet outbreak turned out to be a targeted attack on Iranian nuclear centrifuges.
Duqu was initially reported to be believed to be a next-generation Stuxnet-like attack that was either designed by the same source as the original Stuxnet, or is derivative of the same code source to an unknown ends at this time. The relationship is highlighted in a Reuters article that goes on to quote Symantec researcher Kevin Haley:
“That suggests that the attackers behind Stuxnet either gave that code to the developers of Duqu, allowed it to be stolen, or are the same people who built Duqu, Haley said.
“We believe it is the latter,” he said.”
Symantec has issued a full status update on the latest about the infection, specifics about the initial infection and propagation, and worldwide infection reports in their Security Response Blog. Noting that analysis of the threat continues, the following has been posted:
“We have shared information and samples with other security vendors so that they can verify protection accordingly.
Key updates in the Symantec whitepaper include:
• An unpatched zero-day vulnerability is exploited through a Microsoft Word document and installs Duqu
• Attackers can spread Duqu to computers in secure zones and control them through a peer-to-peer C&C protocol
• Six possible organizations in eight countries have confirmed infections
• A new C&C server (184.108.40.206) hosted in Belgium was discovered and has been shut down”
Counter threat activities such as the reported revocation of compromised security keys that were being used by the authors, along with the shutdown of Command and Control (C&C) servers throughout the world illustrate the advanced response to the threat thus far.
“Finally, whilst all of the recovered samples are very closely related, we have recently recovered a sample that communicates with a different C&C server. All previously analyzed samples were configured to contact a server hosted in India. This particular Duqu file was configured to communicate with a server in Belgium with the IP address ’220.127.116.11′. The server has since been taken offline. We appreciate the cooperation from the hosting provider in taking action immediately after being contacted.”
A detailed and updated whitepaper has been created by Symantec on the topic. While news continues to pour out of this story, the community will be watching with the utmost concern as what is playing out is as what has been predicted to be the beginning of a wave of a number of sophisticated, directed cyber attacks of which Stuxnet was only the opening salvo.