In September, a new worm, dubbed Duqu, appeared in Hungary. It shares some characteristics with the Stuxnet worm. It spreads via infected Microsoft Word documents and then exploits a vulnerability in Windows’ TrueType parsing engine.
It appears that Duqu captures keystrokes and attempts to steal digital certificates. It sends them to “its master” in encrypted form within a 600 KB JPEG file and related encrypted files. Initial reports indicate that once Duqu is behind a firewall, it uses multiple methods to spread within a workgroup.
Microsoft plans to issue a 4-part patch to thwart Duqu on November 8, along with its usual “patch Tuesday” updates. I’ve not heard if Microsoft Security Essentials latest update will detect Duqu.
A new generation of infection
Stuxnet introduced new techniques: it uses encryption to hide itself on the target computer and to hide the contents of its stolen data that it sends “home”. Even the IP address of “home” changes randomly. Once it has set up shop in an infected computer, it resists further infection from unknown infections. Duqu uses similar techniques and seems to remove itself after 36 days, to reduce the chance of detection.
As usual, don’t click on any unexpected email attachments.