Kaspersky Lab Launches E-mail ‘Hotline’ for Duqu Victims
21 Nov 2011
The recent outbreak of the Duqu Trojan, a sibling of the infamous Stuxnet industrial malware, has become yet another example of a highly sophisticated cybercriminal act. The analysis carried out by Kaspersky Lab’s experts has proven that Duqu was used as a weapon for targeted attacks on certain businesses; as such, every single Duqu infection is no mere accident. In a move to aid Duqu analysis and treatment, Kaspersky Lab has set up a special e-mail address which companies and individuals can use to contact the company’s experts and request help in investigating an infection with Duqu.
The email@example.com e-mail is a digital hotline for those who may discover a Duqu infection on their PC. It is important to understand that the “remediate and forget” approach does not work for Duqu. Any infection attempt signals that it was important for cybercriminals to gain control over a certain system, so there’d be a high chance of repeated attacks using various other methods. By contacting Kaspersky Lab businesses and individuals can ensure the safety of their sensitive data.
The recent Duqu-related discoveries by Kaspersky Lab’s experts have revealed its method of infection, which was previously unknown. It turns out that the Trojan’s penetration method made use of carefully tailored socially-engineered e-mails. These e-mails contain a Word .doc file that exploits a zero-day vulnerability in Microsoft Windows’ font-parsing engine. Although the permanent fix for this vulnerability is yet to be released by Microsoft, Kaspersky Lab’s security products already detect and block the exploits using this security hole as well as all known modifications of Duqu itself.
In the latest update on Duqu analysis, the Trojan’s driver – the first component to be loaded in the system – is described. The method of how it contacts the command and control server is also revealed, as well as the fact that the payload DLL – another component of Duqu – is able to connect to network shares and even become a control server for other machines. Kaspersky Lab’s experts will continue their analysis of the complex structure of the payload, which has, among other features, a special functionality for stealing sensitive data. Detailed results of the Duqu analysis update are available here at Securelist.