Researchers: MS Word Flaw Enables Duqu Virus; No Fix

Dennis Faas's picture

New reports are surfacing with details of the latest and what's considered to be one of the most dangerous Internet worms, dubbed "Duqu." It's said the worm can install and spread itself due to a security loophole in Microsoft Word.

As reported last week, Duqu's programming code is very close to that of the Stuxnet worm that wreaked havoc back in 2010. Stuxnet was a particularly sophisticated virus which infected Windows-based PCs, and in turn, attacked computers that controlled equipment in Iran's nuclear program to the point where it caused irreversible damage to equipment.

So far, it doesn't appear that Duqu is designed to damage either physical equipment or software. Instead, it is most likely being used to gather information about target computer systems in order to make a future attack more effective.

Budapest University Spots New Clues

The Hungarian organization that originally discovered Duqu, the Laboratory of Cryptography and System Security at the Budapest University of Technology and Economics, has now uncovered a file used to install Duqu on machines.

As with the initial revelation, it has passed the details on to security companies such as Symantec to help publicize the findings. (Source: symantec.com)

According to Symantec, the file in question is actually a Microsoft Word document. It's set up so that once opened, it exploits a previously unknown bug in MS Word that allows malicious programming code ("malware") to run on the computer. Microsoft is now aware of the bug and is working on a security patch.

Cyber Attack Target Not Random

The MS Word document Symantec saw contains material that makes it clear the hackers were intentionally targeting a specific organization, which makes it much easier to make the document appear legitimate.

The theory fits in with previous conclusions that Duqu isn't designed to spread via email to a mass audience, but rather to get inside a specific organization and then spread across internal networks.

It's already been found that in one case Duqu was able to replicate itself via Server Message Block (SMB), a Windows feature for sharing files and access to hardware.

So far, it appears only a handful of organizations have been affected, in up to a dozen countries (mainly in Europe and Asia). Perhaps most significantly, at least one organization in Iran has been targeted as well. (Source: bbc.co.uk)

Rate this article: 
No votes yet