An installer for the Duqu Trojan has been discovered by CrySys, the Hungarian firm that initially discovered the threat, and the file has shed some light onto how the threat managed to find its way to the targeted computers.
According to Symantec, the installer file is a MS Word document that takes advantage of a Windows zero-day kernel bug to execute the code that installs the main Duqu binaries – as shown by a helpful chart the company has made:
Symantec warns that this installer might not be the only one used by the attackers. Add to this the fact that the zero-day flaw misused by it is not likely to be patched in the coming week, and users are advised against downloading and opening any file attached to or linked to from an email they are not 100 percent sure it’s coming from a trusted source.
It is interesting to note that the shell-code included in the installer packet allowed the malicious binaries to be installed only during a particular eight-day period in August 2011 – perhaps other installers were rigged for other periods?
In the meantime, Symantec researchers have definitely confirmed that the Duqu Trojan has been found on computers located in eight countries (France, Netherlands, Switzerland, Ukraine, India, Iran, Sudan, Vietnam), while other security companies have traced the infection also to Austria, Hungary, Indonesia, and UK. But unfortunately, due to IP address grouping, definitive organization to whom these computer belong are still unknown.
“Once Duqu is able to get a foothold in an organization through the zero-day exploit, the attackers can command it to spread to other computers,” explain the researchers. “In one organization, evidence was found that showed the attackers commanding Duqu to spread across SMB shares. Interestingly though, some of the newly infected computers did not have the ability to connect to the Internet and thereby the command-and-control (C&C) server.”
“The Duqu configuration files on these computers were instead configured not to communicate directly with the C&C server, but to use a file-sharing C&C protocol with another compromised computer that had the ability to connect to the C&C server. Consequently, Duqu creates a bridge between the network’s internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies.”