Duqu Zero-Day Exploit Discovered, Removal Tool Released
If you have been following security news lately you may have already heard about the Duqu rootkit that combines the technology of the Stuxnet rootkit with a backdoor trojan and keylogger. Duqu has been discovered on October 18 and infection reports have started to come in soon thereafter.
Not all security suites and products detect the Duqu rootkit right now which, in combination with the fact that it exploits a zero-day vulnerability in Windows, makes it a very dangerous threat. Microsoft is currently working on a patch to protect systems from the vulnerability (which would make further infections on patched PCs impossible)
Rootkit.Duqu.A is digitally signed (with a stolen and revoked certificate) which means that it targets not only 32-bit Windows systems but also 64-bit editions of the Microsoft Windows operating system. According to information posted by Bitdefender, Duqu runs for 36 days on a computer collecting information entered via the keyboard. This may include passwords, emails, conversations, logins on popular sites and even banking and credit card information.
Symantec has posted additional information about Duqu's installer. According to Symantec's information, Duqu is spread as a Microsoft Word document that exploits a Windows kernel vulnerability that allows code execution. When a user opens the Word document the malicious code is executed and Duqu is installed on the system.
Duqu infections have already been confirmed in countries such as France, Switzerland, India, the United Kingdom, Austria and the Netherlands.
Symantec has released a whitepaper in pdf format that contains all known details up to this point.
Windows users who want to make sure that their system is clean and not infected by the Duqu rootkit can use Bitdefender's Removal Tool to scan the system and if necessary disinfect it.
The portable rootkit remover can be downloaded from an official Bitdefender website. All that Windows users need to do is to click on the Scan button to start the scan. The program will list any files that have been identified to be part of the Duqu rootkit. Please note that the program may require elevated rights on some machines.
Is there a way to protect your computer in the meantime? Yes, do not open Word documents locally. Use an online document viewer like Google Docs or Docs.com for that. (via)
Update: Microsoft has released updates for Windows that patches the vulnerability. You can read about the update here.
Great article, so thanks for keeping us in the loop, Martin!
Duku rootkit sounds really nasty, as are most, if not all forms of malware, etc. and once a system gets infected, it can be a real pain to clean!
Fortunately, Kaskersky (KIS 2012) scans my system regularly and it seems that I’ve been lucky, so far!
Keep your articles coming and keep the users educated on what’s going on out there! :)
Great thanks for the info, Martin. I downloaded the tool and of course no problem, no install, no garbage. One point to mention though is time, don’t run the tool if you’re in a hurry, because it really works …. hard!
Oh yeah, the scan can take quite some time ;)
Doesn’t work for me. I get a ‘Could not load trufos.sys’ error. Seems to be a common problem on Win 7 x64. Googling hasn’t found a solution.
I got the same error “Could not load trufos.sys”, on W7 64 bit. Someone’s posted the error to Bitdefender, so try it later.
Symantec will probably put out a tool soon.
I find it strange that it worked on my system without errors.
Forgive my ignorance but what is trufos.sys??
I ask because I have been battling a malware that’s been using this vunerability with ttf fonts. For nearly a year now – never occured to me this type of exploit was unusual else i would have mentioned it to someone! and the file this nasty uses is truesight.sys _ otherwise known as stealth destroy power in f. Fantasy games. And uses very similar variations to trufos.sys for aliases.
What if a person doesn’t use MS Word, but, instead, makes use of OpenOffice, LibreOffice and Jarte, f.e.? They’re what I use, though not OO since starting to use LO, but can occasionally use Jarte, as well. With LO, I create/save odt files, but also save copies in Word format when needing to be able to provide copies to people using Word and who might not have a version permitting the import of odt files.
And what if a person doesn’t use MS IE and OpenLook, but uses Firefox and Thunderbird, instead?
Does any of this at all diminish the risks of this Duqu rootkit damaging our systems, or spying on us?
To be honest, I cannot tell. What I can tell you however that it is a vulnerability in the Win32k TrueType font parsing engine, and not in Word. Other attack vectors as possible, see http://support.microsoft.com/kb/2639658 for a Quick Fix and further information.
OpenLook, vs MS Outlook :
In my prior post, I said OpenLook, but believe that the right name of the MS application that was meant is Outlook; the MS e-mail application, anyway.