November 01, 2011, 5:15 PM — A new version of the installer for "Son of Stuxnet" virus Duqu is a rare value. Not only does it include what is currently the hottest malware on the market, it uses a previously unknown vulnerability in the Windows kernel that accepts code executed elsewhere as having originated within the victim's machine.
The variant was discovered by the CrySyS Lab at the Budapest University of Technology and Economics, which discovered the original version of Duqu – a virus that shares much of the same code that made Stuxnet so effective, but is designed as a remotely targeted spy rather than saboteur.
It is housed within a Word document that, when opened, uses the kernel flaw to install Duqu and launch an attack, though Symantec researchers found this variant was designed to be installed only during eight days in August.
Symantec also provided a schematic of the process Duqu follows to exploit the flaw and install itself.
The remote-execution flaw makes Duqu more dangerous and better able to penetrate secure facilities because it allows infected machines to communicate with each other rather than directly with a command controller outside the firewall.
Once installed in one machine, this version of Duqu spreads itself to other machines, using an encrypted file-sharing protocol to communicate with one machine that has a confirmed open link to the outside.
In that way it can spread across many servers within a secure environment without tripping alarms designed to be on the lookout for viruses phoning home from every machine they infect.
"Duqu creates a bridge between the network's internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies," according to Symantec's analysis.
So far, according to Kaspersky Labs, Duqu infections have been recorded only in Sudan and Iran, though there is no obvious connection to Iran's nuclear program, which Stuxnet was designed to attack.
Duqu is different from Stuxnet in that it is a framework within which a number of different drivers, modules and encryption methods can be used to attack weaknesses peculiar to a specific target.