The Duqu malware used to steal sensitive data from manufacturers of industrial systems exploits at least one previously unknown vulnerability in the kernel of Microsoft Windows, Hungarian researchers said. The zero-day vulnerability was triggered by a booby-trapped Word document that was recently discovered by researchers from …
If you ever want to get some nightmares
Look up "OLE for process control". It's an "open standard" for industrial process control. To get the specifications you need to be a member. Membership starts at $1500 a year. Documents are in PDF (at least) but the provided videos are in strange early 1990s codecs.
Of course the standard is based on DCOM which is an obsolete Windows technology. (A new technology based on TCP/IP is being developed now called OPC UA)
So seriously I doubt they would have needed to exploit Word. Someone who spends a lot of money on such system probably doesn't understand the slightest bit of security. You could most likely just have send them a greeting card in an encrypted ZIP file.
DCOM isn't obsolete. It's still very much part of MS' technology stack, and doesn't look like getting replaced anytime soon.
Being obsolete and being part of MS's current technology stack
are not mutually exclusive events.
Being obsolete and being part of MS's current technology stack
Looks like a tautology to me.
How about... not running Word as an admin?
If Symantec's little flowchart is accurate, the injection would fail at the "Shellcode executes driver" step because the user said shellcode is running as wouldn't have permissions to add drivers or manipulate the kernel. Maybe it'd throw a UAC prompt up.
One of Symantec's own anti-Duqu recommendations is:
"Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application."
If you take Symantec at face value, this workaround is a full stop for the thing. Their threat assessment of "Very Low" is also Very Telling.
re: the injection would fail
@Gordon Fecyk: "the injection would fail at the "Shellcode executes driver" step because the user said shellcode is running as wouldn't have permissions to add drivers or manipulate the kernel"
Seems clear the installer uses 'a previously unknown kernel vulnerability that allows code execution` that runs at admin privilage without prompting the user.
"The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution .. Duqu is able to get a foothold in an organization through the zero-day exploit".
Is bypassing UAC the same as bypassing non-admin?
"that runs at admin privilage without prompting the user."
UAC is what prompts the user, but an admin user using UAC is still an admin. What about non-admins? Standard users?
Am I reading this right?
'The word document was worded in a way to “definitively target the intended receiving organization,”'
These machines have been infected by a strongly worded letter?!
“industrial industry manufacturers.” !?
So they manufacture industry for other industries?
Does this mean that, collectively, the targets would be called the industrial industry industry?
Safe zone fail
For security purpose, a computer connected to the internet is a computer that can communicate with a computer connected to the internet (yes, that's a bit of a recursive definition, I know). Even if it is not supposed to be able to talkTCP/IP to the outside world.
The only safe zone there is is an ivory tower. No datalink whatsoever. And then strong physical security.
A Safe Computing Enclave could be networked - one just has to make sure the routers are properly configured to isolate from the general internet and to encrypt traffic outside the trusted areas.
Of course that requires trust into the routers, but that is much less than trusting all the application software from the likes of Oracle, Adobe and Microsoft.
Tell that to banks - Their ATMs and Internet banking exist in secure zones which are connected via DMZ layers to the bank's back end systems and the Internet.
I have rarely heard of Internet Banking hacks, and never heard of ATMs being hacked.
And to make sure that no computers are configured as a bridge with one port connected to the internet, and the other connected to the secured area.
If you haven't heard of ATMs being hacked,
you haven't been keeping up with your reg reading. Just the other day they posted an article about a wireless hack that lets you spit an endless stream of cash out of an ATM.
The banks just eat the cost to avoid the bad PR. Sort of like they sometimes do with identity theft cases. I can testify to one such ID theft case. A co-worker who never uses an ATM was having money withdrawn from his account by ATM. After being able to prove he never requested or received an ATM, the bank refunded all the "erroneous" ATM withdrawls and associated bank charges. No police report was ever filed in an attempt to apprehend the culprits.
I can ASSURE you there are hacking incidents in banks.
The only non hackeable system is one that is unplugged.
Re: Not necessarily
I do agree, but I was thinking "safe zone" and you are thinking "reasonnably safe zone". These are two completely separate animals. One is a robust, sensible way to dodge most attacks at a reasonnable cost while not hindering productivity. The other one is a safe zone.
"I have rarely heard of Internet Banking hacks, and never heard of ATMs being hacked."
You mean not likeEastern Europe, where some ATM's were *loaded* with a malware kit to allow dumping *all* card details since the last time they had been triggered?
Stuxnet? Targets all outside of the US?
One could be forgiven for thinking that it's those bastards at the National Security Agency and the CIA again.
...that Winblows has yet another security hole in it!
in a nethack world:
You hit the Troll. You hit the Troll. You choke the Troll. -more-
The Troll just misses. The Troll strikes at your displaced image.
You hit the Troll. You kill the Troll.
The Troll corpse tastes terrible. You finish eating the Troll corpse.
You feel Winbloated.
Are you telling us your system is 100% virus proof?
I'm sure there are many people acting smug like that with an, as yet, undetected virus on their system.
Not the CIA
"it's a highly sophisticated piece of malware that was designed for a very specific purpose"
If this thing comes in e-mail...
...wouldn't Symantec's acquisition of Messagelabs and their flagship Skeptic product save us? Or did the acquisition somehow remove the "100% virus detection guarantee?" Strange code in an otherwise harmless document would set off Skeptic's alarms before. Why not now?
Or are we all doomed? Can't Symantec save us?
100% virus detection guarrantee
Didn't say anything about false positive rates, or removing them
Apparently the source was recently leaked:
echo "Virus detected"
Haven't they heard of social engineering?
To GET that malicious payload through, unsuspected, the attacker could send a compelling video payload. The recipient could then fall victim by just "having to have it to see it play", and then follows a stealthy URL set up by the intending penetrator. The URL for the video loads the dodgy code, to prepare the way for the later-installed remote control payload. THEN, admin or not, if the user is permitted to selectively swtich into and out of admin mode "to get work done", that laxity could be exploited.