back to article Duqu targeted each victim with unique files and servers

The creators of the Duqu malware that penetrated industrial manufacturers in at least eight countries tailored each attack with exploit files, control servers, and booby-trapped Microsoft Word documents that were different for each victim, according to research published on Friday. What's more, two of the drivers the …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    "Like forensics investigators"

    "Like forensics investigators combing through a homicide scene for the tiniest scraps of evidence"

    You mean, "File > Open..." "File > Get Info".

    1. Anonymous Coward
      Anonymous Coward

      More like "Dave, my eyes are killing me for peering through this hex editor to find something that makes sense, can you take over so I can get my two hours of sleep this week?"

    2. Dr. Vesselin Bontchev
      Boffin

      Not really

      Of course not. We, the anti-virus people, are not dumb users. We have special, in-house developed tools for extracting of such information.

    3. Voland's right hand Silver badge
      Devil

      You just got your machine hijacked, congratulations

      Dude, with people like you around security will never be out of work.

  2. Graham Marsden
    Coat

    The hidden message is an obvious reference to the Dexter television series

    Not "Dexter's Lab"?

  3. dssf

    Miami...

    DADE, or "dead"?

  4. Varinder Kumar
    Happy

    Duqu - saving the business

    Not sure how much M$ or the AV companies will take until a 100% cure is developed and released. But for my peers I would recommend the following prevention steps : 1. Use either Open Office or open the document in online word processor such as googledocs. 2. if that is not feasible, use sandboxing technique to run the MS Word to open documents received from internet.

    Though I have not tested these but I am sure this will not allow the embedded code to exploit the vulnerability. I have not come across any infected doc but I am desperately waiting for one to test it out :)

    1. Michael Wojcik Silver badge

      Try reading the analysis next time

      It's likely neither of your suggestions would help in the slightest. Duqu exploits a vulnerability in TrueType font handling in the Windows kernel. Using a different application (eg OpenOffice) won't help if that application attempts to render the embedded font. Neither will sandboxing, unless the sandbox has its own TrueType renderer.

      You could open the malicious Word file in a copy of Word running under Windows in a VM; then only the VM would be infected, and if you shut it down before Duqu got around to probing for SMB connections or other infection vectors, and you reset the VM to a previous image, you'd be OK. That's a little heavy to use as a routine precautionary measure, don't you think?

      Of course you could avoid this particular vector by opening the file in an application running under Linux or Mac OS or any other non-Windows OS, since this exploit is Windows-specific. Then you'd just be exposed to that OS's vulnerabilities instead. Maybe it'll be a long time before there's a Duqu-class worm for Linux or Mac. Maybe one's already out there.

  5. Mikel
    Devil

    Sigh

    The level of discourse of both the talking heads and the press seems to indicate that in the past fifteen years no significant resources have been deployed anywhere on Earth to respond to the threat, to understand or report it. That's appalling. The entire world is asleep at the switch.

    This is grade school hacker stuff, not high-end nation-state stuff. You folk have no idea how bad the situation really is. I'll give you a hint though: it's worse. Much worse. So much worse that you wouldn't believe it.

This topic is closed for new posts.

Other stories you might like