Duqu Zero-Day Exploit Discovered, Removal Tool Released
If you have been following security news lately you may have already heard about the Duqu rootkit that combines the technology of the Stuxnet rootkit with a backdoor trojan and keylogger. Duqu has been discovered on October 18 and infection reports have started to come in soon thereafter.
Not all security suites and products detect the Duqu rootkit right now which, in combination with the fact that it exploits a zero-day vulnerability in Windows, makes it a very dangerous threat. Microsoft is currently working on a patch to protect systems from the vulnerability (which would make further infections on patched PCs impossible)
Rootkit.Duqu.A is digitally signed (with a stolen and revoked certificate) which means that it targets not only 32-bit Windows systems but also 64-bit editions of the Microsoft Windows operating system. According to information posted by Bitdefender, Duqu runs for 36 days on a computer collecting information entered via the keyboard. This may include passwords, emails, conversations, logins on popular sites and even banking and credit card information.
Symantec has posted additional information about Duqu's installer. According to Symantec's information, Duqu is spread as a Microsoft Word document that exploits a Windows kernel vulnerability that allows code execution. When a user opens the Word document the malicious code is executed and Duqu is installed on the system.
Duqu infections have already been confirmed in countries such as France, Switzerland, India, the United Kingdom, Austria and the Netherlands.
Symantec has released a whitepaper in pdf format that contains all known details up to this point.
Windows users who want to make sure that their system is clean and not infected by the Duqu rootkit can use Bitdefender's Removal Tool to scan the system and if necessary disinfect it.
The portable rootkit remover can be downloaded from an official Bitdefender website. All that Windows users need to do is to click on the Scan button to start the scan. The program will list any files that have been identified to be part of the Duqu rootkit. Please note that the program may require elevated rights on some machines.
Is there a way to protect your computer in the meantime? Yes, do not open Word documents locally. Use an online document viewer like Google Docs or Docs.com for that. (via)
Update: Microsoft has released updates for Windows that patches the vulnerability. You can read about the update here.Advertisement