back to article Critical Windows zero-day bug exploited by Duqu

The Duqu malware used to steal sensitive data from manufacturers of industrial systems exploits at least one previously unknown vulnerability in the kernel of Microsoft Windows, Hungarian researchers said. The zero-day vulnerability was triggered by a booby-trapped Word document that was recently discovered by researchers from …

COMMENTS

This topic is closed for new posts.
  1. Gordon Fecyk
    Boffin

    How about... not running Word as an admin?

    If Symantec's little flowchart is accurate, the injection would fail at the "Shellcode executes driver" step because the user said shellcode is running as wouldn't have permissions to add drivers or manipulate the kernel. Maybe it'd throw a UAC prompt up.

    One of Symantec's own anti-Duqu recommendations is:

    "Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application."

    If you take Symantec at face value, this workaround is a full stop for the thing. Their threat assessment of "Very Low" is also Very Telling.

    1. Microphage

      re: the injection would fail

      @Gordon Fecyk: "the injection would fail at the "Shellcode executes driver" step because the user said shellcode is running as wouldn't have permissions to add drivers or manipulate the kernel"

      Seems clear the installer uses 'a previously unknown kernel vulnerability that allows code execution` that runs at admin privilage without prompting the user.

      "The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution .. Duqu is able to get a foothold in an organization through the zero-day exploit".

      1. Gordon Fecyk
        Boffin

        Is bypassing UAC the same as bypassing non-admin?

        "that runs at admin privilage without prompting the user."

        UAC is what prompts the user, but an admin user using UAC is still an admin. What about non-admins? Standard users?

  2. Christian Berger

    If you ever want to get some nightmares

    Look up "OLE for process control". It's an "open standard" for industrial process control. To get the specifications you need to be a member. Membership starts at $1500 a year. Documents are in PDF (at least) but the provided videos are in strange early 1990s codecs.

    Of course the standard is based on DCOM which is an obsolete Windows technology. (A new technology based on TCP/IP is being developed now called OPC UA)

    So seriously I doubt they would have needed to exploit Word. Someone who spends a lot of money on such system probably doesn't understand the slightest bit of security. You could most likely just have send them a greeting card in an encrypted ZIP file.

    1. cloudgazer

      DCOM isn't obsolete. It's still very much part of MS' technology stack, and doesn't look like getting replaced anytime soon.

      1. Tom 13

        Being obsolete and being part of MS's current technology stack

        are not mutually exclusive events.

        1. Anonymous Coward
          Anonymous Coward

          Being obsolete and being part of MS's current technology stack

          Looks like a tautology to me.

  3. Anonymous Coward
    Anonymous Coward

    Am I reading this right?

    'The word document was worded in a way to “definitively target the intended receiving organization,”'

    These machines have been infected by a strongly worded letter?!

  4. Steve Knox
    WTF?

    “industrial industry manufacturers.” !?

    So they manufacture industry for other industries?

    Does this mean that, collectively, the targets would be called the industrial industry industry?

  5. ElReg!comments!Pierre
    FAIL

    Safe zone fail

    For security purpose, a computer connected to the internet is a computer that can communicate with a computer connected to the internet (yes, that's a bit of a recursive definition, I know). Even if it is not supposed to be able to talkTCP/IP to the outside world.

    The only safe zone there is is an ivory tower. No datalink whatsoever. And then strong physical security.

    1. Anonymous Coward
      Stop

      Not necessarily

      A Safe Computing Enclave could be networked - one just has to make sure the routers are properly configured to isolate from the general internet and to encrypt traffic outside the trusted areas.

      Of course that requires trust into the routers, but that is much less than trusting all the application software from the likes of Oracle, Adobe and Microsoft.

      1. Anonymous Coward
        Anonymous Coward

        Err...

        Tell that to banks - Their ATMs and Internet banking exist in secure zones which are connected via DMZ layers to the bank's back end systems and the Internet.

        I have rarely heard of Internet Banking hacks, and never heard of ATMs being hacked.

        1. Tom 13

          If you haven't heard of ATMs being hacked,

          you haven't been keeping up with your reg reading. Just the other day they posted an article about a wireless hack that lets you spit an endless stream of cash out of an ATM.

          The banks just eat the cost to avoid the bad PR. Sort of like they sometimes do with identity theft cases. I can testify to one such ID theft case. A co-worker who never uses an ATM was having money withdrawn from his account by ATM. After being able to prove he never requested or received an ATM, the bank refunded all the "erroneous" ATM withdrawls and associated bank charges. No police report was ever filed in an attempt to apprehend the culprits.

        2. Aitor 1

          I can ASSURE you there are hacking incidents in banks.

          The only non hackeable system is one that is unplugged.

        3. John Smith 19 Gold badge
          Unhappy

          AC@12:49

          "I have rarely heard of Internet Banking hacks, and never heard of ATMs being hacked."

          You mean not likeEastern Europe, where some ATM's were *loaded* with a malware kit to allow dumping *all* card details since the last time they had been triggered?

      2. Stuart Castle Silver badge

        And to make sure that no computers are configured as a bridge with one port connected to the internet, and the other connected to the secured area.

      3. ElReg!comments!Pierre
        Happy

        Re: Not necessarily

        I do agree, but I was thinking "safe zone" and you are thinking "reasonnably safe zone". These are two completely separate animals. One is a robust, sensible way to dodge most attacks at a reasonnable cost while not hindering productivity. The other one is a safe zone.

  6. Drew V.

    Stuxnet? Targets all outside of the US?

    One could be forgiven for thinking that it's those bastards at the National Security Agency and the CIA again.

  7. Anonymous Coward
    Anonymous Coward

    No surprise...

    ...that Winblows has yet another security hole in it!

    1. ElReg!comments!Pierre

      in a nethack world:

      You hit the Troll. You hit the Troll. You choke the Troll. -more-

      The Troll just misses. The Troll strikes at your displaced image.

      You hit the Troll. You kill the Troll.

      [...]

      The Troll corpse tastes terrible. You finish eating the Troll corpse.

      You feel Winbloated.

    2. Wize

      Dear AC

      Are you telling us your system is 100% virus proof?

      I'm sure there are many people acting smug like that with an, as yet, undetected virus on their system.

  8. Yet Another Anonymous coward Silver badge

    Not the CIA

    "it's a highly sophisticated piece of malware that was designed for a very specific purpose"

  9. Gordon Fecyk
    Alert

    If this thing comes in e-mail...

    ...wouldn't Symantec's acquisition of Messagelabs and their flagship Skeptic product save us? Or did the acquisition somehow remove the "100% virus detection guarantee?" Strange code in an otherwise harmless document would set off Skeptic's alarms before. Why not now?

    Or are we all doomed? Can't Symantec save us?

  10. Yet Another Anonymous coward Silver badge

    100% virus detection guarrantee

    Didn't say anything about false positive rates, or removing them

    Apparently the source was recently leaked:

    @echo off

    echo "Virus detected"

  11. dssf

    Haven't they heard of social engineering?

    To GET that malicious payload through, unsuspected, the attacker could send a compelling video payload. The recipient could then fall victim by just "having to have it to see it play", and then follows a stealthy URL set up by the intending penetrator. The URL for the video loads the dodgy code, to prepare the way for the later-installed remote control payload. THEN, admin or not, if the user is permitted to selectively swtich into and out of admin mode "to get work done", that laxity could be exploited.

This topic is closed for new posts.

Other stories you might like