Windows Zero-Day Exploit Linked to Duqu Worm
A zero-day vulnerability discovered on Tuesday by Microsoft is being targeted by attackers as an open door to spread the Duqu malware.
While Microsoft has given little in the way of information, it sent the following Twitter message on Tuesday morning: "We are working to address a vulnerability believed to be connected to the Duqu malware."
The vulnerability appears to be a hole associated with the Windows shell code that is exploited by the Duqu malware, which installs itself by using files stored in a Microsoft Word document, according to Symantec's description (PDF). The Word document is sent to system users, who unintentionally initiate the malware dispersal after opening an attached document.
Little is known about the motivation of the attackers using Duqu, except that Duqu appears to target industrial control systems for information stealing. Symantec disclosed the malware newcomer last month and said it was a close relative to the Stuxnet worm due to the way it operates.
"The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered," wrote Symantec in a blog post. "Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party."
Duqu's goal appears to be data gathering, whereas Stuxnet was actually used to disrupt process control systems, specifically those used in Iran's nuclear reactor program. This difference appears to be why Symantec calls Duqu a "precursor" to Stuxnet.
While Symantec sounded the warning call about the new Trojan, Microsoft remained mum about it publicly until this week's tweet. Microsoft said it is working on a fix for the zero-day exploit but didn't give any indication on whether it would be ready for next week's Patch Tuesday release.
Microsoft may not think there's a huge amount of urgency to rush out a fix. A report last month by Microsoft downplayed the threat of zero-day exploits in general. In that report, Microsoft documented that only 0.12 percent of all software exploits in the first half of the year were due to zero-day holes. It's also thought that that Duqu doesn't self-replicate and that the number of infected systems has been small so far.