Feeds

back to article Duqu targeted each victim with unique files and servers

The creators of the Duqu malware that penetrated industrial manufacturers in at least eight countries tailored each attack with exploit files, control servers, and booby-trapped Microsoft Word documents that were different for each victim, according to research published on Friday. What's more, two of the drivers the …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

"Like forensics investigators"

"Like forensics investigators combing through a homicide scene for the tiniest scraps of evidence"

You mean, "File > Open..." "File > Get Info".

3
4
Anonymous Coward

More like "Dave, my eyes are killing me for peering through this hex editor to find something that makes sense, can you take over so I can get my two hours of sleep this week?"

1
0
Silver badge
Devil

You just got your machine hijacked, congratulations

Dude, with people like you around security will never be out of work.

0
0
Boffin

Not really

Of course not. We, the anti-virus people, are not dumb users. We have special, in-house developed tools for extracting of such information.

0
1
Silver badge
Coat

The hidden message is an obvious reference to the Dexter television series

Not "Dexter's Lab"?

1
0
Bronze badge

Miami...

DADE, or "dead"?

1
0
Happy

Duqu - saving the business

Not sure how much M$ or the AV companies will take until a 100% cure is developed and released. But for my peers I would recommend the following prevention steps : 1. Use either Open Office or open the document in online word processor such as googledocs. 2. if that is not feasible, use sandboxing technique to run the MS Word to open documents received from internet.

Though I have not tested these but I am sure this will not allow the embedded code to exploit the vulnerability. I have not come across any infected doc but I am desperately waiting for one to test it out :)

0
1
Bronze badge

Try reading the analysis next time

It's likely neither of your suggestions would help in the slightest. Duqu exploits a vulnerability in TrueType font handling in the Windows kernel. Using a different application (eg OpenOffice) won't help if that application attempts to render the embedded font. Neither will sandboxing, unless the sandbox has its own TrueType renderer.

You could open the malicious Word file in a copy of Word running under Windows in a VM; then only the VM would be infected, and if you shut it down before Duqu got around to probing for SMB connections or other infection vectors, and you reset the VM to a previous image, you'd be OK. That's a little heavy to use as a routine precautionary measure, don't you think?

Of course you could avoid this particular vector by opening the file in an application running under Linux or Mac OS or any other non-Windows OS, since this exploit is Windows-specific. Then you'd just be exposed to that OS's vulnerabilities instead. Maybe it'll be a long time before there's a Duqu-class worm for Linux or Mac. Maybe one's already out there.

0
0
Silver badge
Devil

Sigh

The level of discourse of both the talking heads and the press seems to indicate that in the past fifteen years no significant resources have been deployed anywhere on Earth to respond to the threat, to understand or report it. That's appalling. The entire world is asleep at the switch.

This is grade school hacker stuff, not high-end nation-state stuff. You folk have no idea how bad the situation really is. I'll give you a hint though: it's worse. Much worse. So much worse that you wouldn't believe it.

0
0
This topic is closed for new posts.