Microsoft scrambles to thwart Duqu worm.

Source: The Hacker News
Duqu flow and Execution Diagram

From eastern Europe with love.

In September, a new worm, dubbed Duqu, appeared in Hungary. It shares some characteristics with the Stuxnet worm. It spreads via infected Microsoft Word documents and then exploits a vulnerability in Windows’ TrueType parsing engine.

It appears that Duqu captures keystrokes and attempts to steal digital certificates. It sends them to “its master” in encrypted form within a 600 KB JPEG file and related encrypted files. Initial reports indicate that once Duqu is behind a firewall, it uses multiple methods to spread within a workgroup.

Microsoft plans to issue a 4-part patch to thwart Duqu on November 8, along with its usual “patch Tuesday” updates. I’ve not heard if Microsoft Security Essentials latest update will detect Duqu.

A new generation of infection

Stuxnet introduced new techniques: it uses encryption to hide itself on the target computer and to hide the contents of its stolen data that it sends “home”. Even the IP address of “home” changes randomly. Once it has set up shop in an infected computer, it resists further infection from unknown infections. Duqu uses similar techniques and seems to remove itself after 36 days, to reduce the chance of detection.

As usual, don’t click on any unexpected email attachments.

Visit my website:
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s