A new trojan has hit the market looking for victims. It is known as the Duqu trojan, and was identifed by the same hungarian firm that first discovered the original “zero-day” threat.
The installer is presented to the victim as a WORD Document, which exploits the Windows “zero-Day” vulnerability and installs the Duqu binaries.
Symantec has provided a visual flowchart of the infection process (below).
Symantec also warns that this installer might not be the only one used. Add to this that the vulnerability isn’t scheduled to be patched in the coming week, and things could get a little bit hairy.
According to Symantec, the shell code of the infectious program that was tested was designed to install the binaries during an eight day period in August 2011. However, it’s a possibility that other installers may be in circulation that have more current install periods.
“Once Duqu is able to get a foothold in an organization through the zero-day exploit, the attackers can command it to spread to other computers,” explains Symantec. On a couple of infected networks, it was found that the Duqu infection did not require an infected computer to have an internet connection in order to be able to communicate with the Command Server. The Duqu trojan instead utilized the existing internal network of the compromised organization to establish a bridge between the infected computers, and the Command Server. So as long as the infected computers were connected to a internet ready system via the internal network, they could communicate with the Command Server.
The thing you want to take away from this is, that unless you are 100% certain that your email is coming from a trusted source, do not open any attachments.