Hotline for Duqu Victims

  • Email experts for help
  • Malware can steal sensitive data
  • Socially engineered emails cause infection

The recent outbreak of the Duqu Trojan, a sibling of the Stuxnet industrial malware, has become another example of a highly sophisticated cybercriminal act.

The analysis carried out by Kaspersky Lab’s experts has proven that Duqu was used as a weapon for targeted attacks on certain businesses; as such, every single Duqu infection is no mere accident. In a move to aid Duqu analysis and treatment, Kaspersky Lab has set up a special e-mail address which companies and individuals can use to contact the company’s experts and request help in investigating an infection with Duqu.

The [email protected] e-mail is a digital hotline for those who may discover a Duqu infection on their PC. It is important to understand that the “remediate and forget” approach does not work for Duqu. Any infection attempt signals that it was important for cybercriminals to gain control over a certain system, so there’d be a high chance of repeated attacks using various other methods.

The recent Duqu-related discoveries have revealed its method of infection, which was previously unknown. It turns out that the Trojan’s penetration method made use of carefully tailored socially engineered e-mails. These e-mails contain a Word .doc file that exploits a zero-day vulnerability in Microsoft Windows’ font-parsing engine. Although the permanent fix for this vulnerability is yet to be released by Microsoft, Kaspersky Lab’s security products already detect and block the exploits using this security hole as well as all known modifications of Duqu itself.

In the latest update on Duqu analysis, the Trojan’s driver – the first component to be loaded in the system – is described. The method of how it contacts the command and control server is also revealed, as well as the fact that the payload DLL – another component of Duqu – is able to connect to network shares and even become a control server for other machines. Kaspersky Lab’s experts will continue their analysis of the complex structure of the payload, which has, among other features, a special functionality for stealing sensitive data.