The group that initially discovered the original Duqu binaries, CrySyS, has since located an installer for the Duqu threat. Thus far, no-one had been able to recover the installer for the threat and therefore no-one had any idea how Duqu was initially infecting systems. Fortunately, an installer has recently been recovered due to the great work done by the team at CrySyS.
The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution. We contacted Microsoft regarding the vulnerability and they're working diligently towards issuing a patch and advisory. When the file is opened, malicious code executes and installs the main Duqu binaries. The chart below explains how the exploit in the Word document file eventually leads to the installation of Duqu.
Figure 1: Duqu infection schematics.
The Word document was crafted in such a way as to definitively target the intended receiving organization. Furthermore, the shell-code ensured that Duqu would only be installed during an eight-day window in August. Please note that this installer is the only installer to have been recovered at the time of writing—the attackers may have used other methods of infection in different organizations. Unfortunately, no robust workarounds exist at this time other than following best practices, such as avoiding documents from unknown parties and utilizing alternative software. Fortunately, most security vendors already detect and block the main Duqu files, thereby preventing the attack.
Once Duqu is able to get a foothold in an organization through the zero-day exploit, the attackers can command it to spread to other computers. In one organization, evidence was found that showed the attackers commanding Duqu to spread across SMB shares. Interestingly though, some of the newly infected computers did not have the ability to connect to the Internet and thereby the command-and-control (C&C) server. The Duqu configuration files on these computers were instead configured not to communicate directly with the C&C server, but to use a file-sharing C&C protocol with another compromised computer that had the ability to connect to the C&C server. Consequently, Duqu creates a bridge between the network's internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies.
While the number of confirmed Duqu infections is still limited, using the above techniques we have seen Duqu spread across several countries. At the time of writing, Duqu infections have been confirmed in six possible organizations in eight countries.
The confirmed six possible organizations and their countries of presence include:
• Organization A - France, Netherlands, Switzerland, Ukraine
• Organization B - India
• Organization C - Iran
• Organization D - Iran
• Organization E - Sudan
• Organization F - Vietnam
Note that some organizations are only traceable back to an ISP and therefore all six may not be separate organizations. Furthermore, due to grouping by IP addresses, we cannot definitively identify the organizations.
Other security vendors have reported infections in the following countries:
• United Kingdom
• Iran - infections different from those observed by Symantec
Figure 2: Countries with reported Duqu infections. Red represents confirmed infections, orange represents unconfirmed reports.
Finally, whilst all of the recovered samples are very closely related, we have recently recovered a sample that communicates with a different C&C server. All previously analyzed samples were configured to contact a server hosted in India. This particular Duqu file was configured to communicate with a server in Belgium with the IP address '220.127.116.11'. The server has since been taken offline. We appreciate the cooperation from the hosting provider in taking action immediately after being contacted.
We have shared information and samples with other security vendors so that they can verify protection accordingly.
Key updates in the Symantec whitepaper include:
• An unpatched zero-day vulnerability is exploited through a Microsoft Word document and installs Duqu
• Attackers can spread Duqu to computers in secure zones and control them through a peer-to-peer C&C protocol
• Six possible organizations in eight countries have confirmed infections
• A new C&C server (18.104.22.168) hosted in Belgium was discovered and has been shut down
We want to thank CrySyS for their continued cooperation and research.
You can find our updated whitepaper (version 1.3) here. In addition to further technical details we have added a 'Diagnostics' appendix for system administrators, which contains Duqu traces that may indicate an infection.
Note: Publication of the updated whitepaper may take time to replicate. Please try to download the paper at a later time if version 1.3 is unavailable.
Analysis of Duqu continues, so expect further updates.
Update: Microsoft has issued the following advisory and provided a workaround for the zero-day vulnerability identified as one Duqu infection vector: