Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Microsoft Windows Zero-Day Exploited by Duqu Attackers

Duqu Installer Exploited Windows Zero-Day to Infect Systems

Taking another page from Stuxnet, it seems the attackers behind Duqu used a Microsoft Windows zero-day as part of their attack campaign.

Duqu Installer Exploited Windows Zero-Day to Infect Systems

Taking another page from Stuxnet, it seems the attackers behind Duqu used a Microsoft Windows zero-day as part of their attack campaign.

According to Symantec, researchers at the Laboratory of Cryptography and System Security (CrySyS) – the group that initially discovered the original Duqu binaries – has located an installer for the malware. The installer file is a malicious Microsoft Word document that exploits a previously-unknown kernel vulnerability that allows code execution. Microsoft has been notified and is working on a fix.

“When the file is opened, malicious code executes and installs the main Duqu binaries,” blogged Vikram Thakur, principal security response manager at Symantec.

“The Word document was crafted in such a way as to definitively target the intended receiving organization,” he continued. “Furthermore, the shell-code ensured that Duqu would only be installed during an eight-day window in August. Please note that this installer is the only installer to have been recovered at the time of writing—the attackers may have used other methods of infection in different organizations. Unfortunately, no robust workarounds exist at this time other than following best practices, such as avoiding documents from unknown parties and utilizing alternative software.”

Watch the On Demand Webcast: “Duqu- Precursor to the Next Stuxnet,” Presented by Symantec

Once Duqu has infected an organization through the zero-day, the attackers can infect other computers. In one organization, evidence was found that showed the attackers commanding Duqu to spread across SMB shares, Thakur explained.

“Interestingly though, some of the newly infected computers did not have the ability to connect to the Internet and thereby the command-and-control (C&C) server,” he wrote. “The Duqu configuration files on these computers were instead configured not to communicate directly with the C&C server, but to use a file-sharing C&C protocol with another compromised computer that had the ability to connect to the C&C server. Consequently, Duqu creates a bridge between the network’s internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies.”

The revelation that Duqu uses a zero-day is yet another similarity with Stuxnet, the notorious worm discovered in 2010 targeting industrial control systems. In the case of Stuxnet, the attackers used four Microsoft zero-days to infect systems.

So far, the damage done by Duqu remains limited. According to Symantec, six organizations are believed to have been infected with the malware. Some of the organizations are only traceable back to an ISP, so it is possible all six are not separate organizations. Still, the targets have a presence in eight countries: France, India, Iran, Vietnam, Sudan, Netherlands, Ukraine and Switzerland. Other security vendors however have reported infections in other countries as well, including Hungary, Austria and the U.K.

Last month, authorities in India seized components for a server belonging to a company in Mumbai after being told the server was communicating with machines infected with the Trojan.

“Fortunately, most security vendors already detect and block the main Duqu files, thereby preventing the attack,” Thakur said. 

On Demand Webcast: “Duqu- Precursor to the Next Stuxnet,” Presented by Symantec

Related Reading: India Seizes Servers Linked to Duqu as Experts Question its Relation to Stuxnet

Related Reading: Stuxnet-Like Trojan, Duqu, Further Undermines Certificate Authorities

Related Reading: Researchers Detail a Possible Precursor to the Next Stuxnet

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.