Duqu: Steal Everything

Are You Safe?

Kaspersky Lab Protects Against Duqu-originated Zero-day Vulnerability in Windows

Our security solutions are detecting the vulnerability that was used for distributing all known versions of the Duqu Trojan. Kaspersky Lab’s experts have successfully implemented protection against Trojan.Win32.Duqu.a as well as other malicious programs exploiting the CVE-2011-3402 vulnerability.

The “zero-day” type of vulnerability in question was found in the Win32k TrueType font-parsing engine; as such, the vulnerability affects various office programs. For example, a specially crafted Microsoft Word document opened on a victim’s machine can be used to elevate privileges and then run arbitrary code.

More information about the vulnerability can be found on Microsoft’s website.

What is Duqu?

Duqu FAQ. Latest update – March 27th, 2012

Kaspersky Lab’s investigation

“The Mystery of Duqu” in blogs:

• Part One. Connections between Duqu and Stuxnet. October 20th, 2011
• Part Two. One of the first real infection cases took place in Sudan. October 25th, 2011
• Part Three. Detection of the main missing link – a dropper that performed the initial system infection. November 02, 2011
• Part Four: Enter Mr. B. Jason and TV’s Dexter. Puzzles with a photo of the NGC 6745 galaxy and the TV series Dexter. November 11, 2011
• Part Five. Review of Duqu’s components. November 15, 2011
• Part Six. Researching the Command and Control infrastructure used by Duqu. November 30, 2011
• Part Seven. Stuxnet/Duqu: The Evolution of Drivers. December 28, 2011
• Part Eight. The mystery of the Duqu Framework. March 7, 2012
• Part Nine. The mystery of Duqu Framework solved. March 19, 2012
• Part Ten. The mystery of Duqu: Part Ten. March 27, 2012

Be the first to know our news, follow Kaspersky Lab on  Facebook and  Twitter

Podcast

Costin Raiu of Kaspersky Lab's Global Research and Analysis Team talks about the investigation into Duqu, the likelihood that it was written by the same team as Stuxnet, whether a government is behind its development and what mistakes the authors made.

Download the podcast from the Threatpost site.

Duqu in the Media

• SC Magazine: Duqu variant uncovered, March 23, 2012
• MSNBC: Reworked version of Stuxnet relative Duqu worm found in Iran, March 22, 2012
• The Guardian: Boot up: why Britannica really stopped, iPad's new record, Duqu solved, ICS on Samsung and more, March 20, 2012
• Le Monde Informatique: The mysterious Duqu language is an version of C object oriented, March 20, 2012
• PC World: Researchers Discover New Duqu Variant That Tries to Evade Antivirus Detection, March 20, 2012
• Wired: DuQu Mystery Language Solved With the Help of Crowdsourcing, March 19, 2012
• Wall Street Journal: Crowdsourcing and Kaspersky Crack Duqu Language, March 19, 2012
• CIO: Duqu trojan built by 'old school' programmers, Kaspersky says, March 19, 2012
• Tech Spot: Duqu Trojan contains mystery programming language in Payload DLL, March 8, 2012
• Security Week: Kaspersky Lab: Duqu Framework Likely Written in an Unknown Programming Language, March 8, 2012
• Wired: Researchers Seek Help in Solving DuQu Mystery Language, March 7, 2012
• V3: Researchers stumped over mystery code in Duqu malware, March 7, 2012
• Fox News: Cyberbomb That Hit Iran Was 1 of 5 Weapons, Researchers Say, December 29, 2011
• GovInfoSecurity.com: Researchers: Stuxnet Virus Origin Dates to 2007, December 29, 2011
• Reuters: Stuxnet weapon has at least 4 cousins: researchers, December 28, 2011
• Huffington Post: Stuxnet Virus, Duqu Virus And At Least 3 Others Reportedly Built On Same Platform, December 28, 2011
• Newsweek: New Computer Malware May Presage Another Cyberattack, Potentially on Iran, November 16, 2011
• eWeek: Duqu Gang Working on Trojan for Years: Kaspersky, November 15, 2011
• CSO: Duqu meets Dexter, November 14, 2011
• Computer World: Hackers May Have Spent Years Crafting Duqu, November 11, 2011
• PC World: Duqu Authors Sprinkle Humor in Dangerous Code, November 11, 2011
• MSNBC: Duqu Trojan Revealed to be Shape-Shifting Serial Killer, November 11, 2011

Stop Duqu!

The stopduqu@kaspersky.com e-mail is a digital hotline for those who may discover a Duqu infection on their PC. Сompanies and individuals can use it to contact Kaspersky Lab’s experts and request help in investigating an infection with Duqu.

The analysis carried out by Kaspersky Lab’s experts has proven that Duqu was used as a weapon for targeted attacks on certain businesses; as such, every single Duqu infection is no mere accident. Any infection attempt signals that it was important for cybercriminals to gain control over a certain system, so there’d be a high chance of repeated attacks using various other methods. By contacting Kaspersky Lab businesses and individuals can ensure the safety of their sensitive data.

Back to top