Security researchers said Tuesday the Duqu Trojan used a Word document that exploits a Microsoft zero-day vulnerability in order to infect computers. Microsoft said it’s working to address the flaw.
Researchers at the Laboratory of Cryptography and System Security (CrySys) in Budapest, Hungary, uncovered the installer file, the Word document, which Symantec researchers said exploits a previously unknown kernel vulnerability. Symantec issued a report last month that detailed the similarities between Duqu and the notorious Stuxnet malware. Designed to steal data, Duqu was discovered on the systems of industrial component manufacturers.
In an email statement, Jerry Bryant, group manager of response communications for Microsoft Trustworthy Computing, said, “Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process.”
According to Symantec, the Word document was designed to target specific organizations. Symantec researchers noted that this installer is the only one recovered to date; attackers may have used other methods to spread Duqu. There are no robust workarounds but most security vendors already detect and block the main Duqu files, Symantec said in a blog post Tuesday.
The number of confirmed Duqu infections remains limited, but have been confirmed in six possible organizations in eight countries, including France, India, and Iran, according to Symantec.
According to Reuters, computer investigators in India have seized the computer equipment believed to have hosted the command-and-control server connected to Duqu.