The mystery of Duqu: part three
(Publication) Google search: [1]
| The mystery of Duqu: part three | |
|---|---|
| Botnet | Duqu |
| Malware | Duqu (bot) |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2011 / 2 novembre 2011 |
| Editor/Conference | Kaspersky lab |
| Link | http://www.securelist.com/en/blog/208193206/The Mystery of Duqu Part Three (Archive copy) |
| Author | Alexander Gostev |
| Type | |
Abstract
“ Now, for some much more interesting news. It turned out that the continuing research by the Hungarian lab Crysys has led to the detection of the main missing link – a dropper that performed the initial system infection.
As we expected, a vulnerability was to blame. An MS Word doc file was detected that was sent to one of the victims by the people behind Duqu. The file contained an exploit for a previously unknown vulnerability in Windows that extracted and launched components of Duqu.
Symantec and Microsoft still haven’t made the actual dropper file available to other antivirus companies yet, nor have they provided information about which Windows component contains the vulnerability that results in privilege escalation. However, indirect evidence suggests that the vulnerability is in win32k.sys.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR932,
editor = {Kaspersky lab},
author = {Alexander Gostev},
title = {The mystery of Duqu: part three},
date = {Error: Invalid time.},
month = Error: Invalid time.,
year = {2011},
howpublished = {\url{http://www.securelist.com/en/blog/208193206/The_Mystery_of_Duqu_Part_Three}},
}