Slashdot Mirror
Duqu Installer Exploits Windows Kernel Zero Day
Trailrunner7 writes with an excerpt from Threatpost: "A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution. Microsoft is working on a fix for the kernel vulnerability right now. The exact location and nature of the flaw isn't clear right now. The installer uses a Word document to exploit the vulnerability and then install the Duqu binaries."
Says it can spread over SMB shares too, but I don't think anyone in my company is dumb enough to ^H^H^H^ NO CARRIER
"When information is power, privacy is freedom" - Jah-Wren Ryel
I'm a little confused. Why would you need a Word document to exploit a remote vulnerability?
With a name like "game boy" and a comment about "SMB shares", I think for half a second about this kind of SMB share.
I'm impressed Microsoft even acknowledged it. Years ago they would have buried this news, claiming anyone reporting on it was aiding terrorists. I'm looking forward to the fix, when they roll it out in a couple of months.
A feeling of having made the same mistake before: Deja Foobar
But how do you reverse such a hole? Like this.
It's Windows. Why should you be surprised?
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
This kind of advice is classic. Its also pointless.
This kind of attack 'comes' from people or sources you know (Most users are not going to check full headers) - and its spear fishing in nature - so its documents that look viable and realistic.
This is standard stuff, not rocket science sadly. So nominal 'don't open from unknown senders' advice is pointless, worthless and about 4 years out of date.
You can even forget about forging headers. We're well past that. They can and will use the machine of the person you expect to hear from when sending (this requires some access into the structure to do, but thats nothing unusual today in infrastructure that is too lose/insecure).
The number of breaches is growing, the exploits are growing, and stuff like AV is having a higher percentage of failure in dealing with viruses/threats. The cyber 'threat' isn't just real. Its wide and deep, and to be honest, I'm not seeing any viable proper response to it at all. Most attempts to resolve it are akin to sticky plasters over gaping wounds, and the whole landscape tends to be getting worse as time goes by.
And thats before you really face up to stux and its game change nature. Now its not just PCs/windows that you have to watch. And thats a whole new ballgame.
so explain to me how Apple doesn't do any of these things? you realize that for a long time now the main method of Jailbreaking their phones has been a PDF exploit that allows you to root the device.. not only is it documented and in actvice use, but it has been there for years now, and they still have not fixed it.
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
You guys don't know much about computers, do you? You laughably seem to think only privileged processes have access to kernel calls and can exploit bugs in them.
Get a clue. You don't know what a "kernel vulnerability" is, judging by your rhetoric you seem to think only silly OS's like Windows have them and allow user-land processes to exploit them. Not true.
Hey! Where is Borg Bill? Put it back right now!
Because of binary file formats, binary fonts, etc. All data is just data, including code. A is the same as \x41 which is the op code for INC EAX, for example. That's effectively a NOP as far as shell code is concerned, though. Others do other things, of course. It's the same reason you can do exploits in PDF or other file format attacks.
You did read the story correctly - right?
You realise its an 0-day unknown exploit. (The user level is right, absolutly - users should be user class, not admins - but its a kernel vuln, thats the point sometimes.)
You realise that gateway scanning can't and likely won't protect you from *unknown* threat vectors - right? The same applies across all the tooling (anti virus/hips/dats/defs) you quite clearly have got far too comfortable in believing in - depsite masses of evidence you need to rethink how you see this.
When the word doc 'executes' and grabs stuff over simple port 80 - all your *I block IRC clever dick stupidity* comes undone.
STOP thinking you have this all covered. You don't. The game has changed, and its tick - tock in the security area.
>Once again, don't open email attachments from unknown senders.
>unknown senders
If I was spear phishing, it wouldn't be from an "unknown sender" - it would be "from" "someone within the company" and it would look official and it would be mandatory to read.
For example, a "message from the COO" and the From: being from the COO's address. This is typically public knowledge or it can be gotten with social engineering. Once that's done, all bets are off because lower level employees /on pain of being fired/ are not going to ignore the email, and thus open the Word attachment.
The "From:" header can be anything, Anon, and it can be trivially set.
Go ahead, blame the victim. It doesn't make you any less of a douche.
--
BMO
I hope that was sarcasm.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
If you *need* a firewall for security on your border you are doing it wrong.
There are already OSX Trojans that are effective because Mac users feel invincible because they aren't running Windows. The fact that those exist is a warning to Apple that their market share is getting large enough to be targeted, but nobody seems to care about educating their users.
To offset political mods, replace Flamebait with Insightful.
You understand what a zero-day is right? Scanning the attachment would have done exactly nothing useful, and have given you a false sense of security on top of it!
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
"A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution." It's an exploit embedded inside a Word document. You can't get more local then that.
"Next you'll be telling me that I shouldn't let filesharing ports open to the world."
You shouldn't let filesharing ports open to the world.
HTH!
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
do you have a kernel security bug in a word processor?
Normally I'd be exaggerating with a statement like this, but not this time I think: "only with Microsoft..." Every time I see something like this I can't help but think they can't possibly pull off something stupider. And yet somehow they just keep doing it.
I work for the Department of Redundancy Department.
I think the better question is why does it have to be word, as opposed to any other user space unprivileged process. My guess would be because of all the macros/scripting and other bad ideas in word.
wipe your disk and reinstall Windows.
I'm Not Antisocial, I'm Just Not User Friendly
Right, So evolution will decide if my servers are going to get hacked or not ? No thanks. I'm so glad i'm running Novell OES right now.
^what he said . . . . geez . . . .
Since when does being a Socialist mean 'someone who has a different opinion than me'?
Clearly, you didn't read the article. The document attachment won't trigger your scanner, because it exploits an unpublicized kernel vulnerability. Because it's a kernel vulnerability, it's quite unlikely privilege separation will help you. So unless you forbid people to get any and all .doc/.docx files from any source, you are vulnerable to something like this.
So ... you do block all possible access to .docx files, right? Or maybe you need to realize that your 20 year old security rules that aren't 20 years old are also already out of date. The game has changed.
doc
Probably because it's easier to get someone to open a Word document than e.g. an executable, and yes because Word has limited code execution capabilities.
It wasn't. Go take an OS course, please.
Instead of using email attachments, make it company policy to drop the attachments on a network drive, and instead share intranet links.
Anyone who spear phishes with attachments will fail. Now they will need intranet access, which can be significantly harder to acquire.
:(){
Someone should mod you into oblivion for posting a PCWorld ad for Symantec, because that's all that article is. It even tells people to not only just install anti-malware, but to install Norton, and does not mention any other security companies at all.
--
BMO
Plus, God knows, news from higher-ups never comes in an email itself. Instead, we get emails from the CEO's secretary that say "Please read the attached message from the CEO." I've gotten plenty, so yeah, if I got one, I'd open it. I might know it's a fake if there were grammatical errors or if the secretary's name (which I happen to know) wasn't on there, but otherwise, yeah, it wouldn't be unusual at all.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Once again, don't open email attachments from unknown senders.
Since many web browsers are so helpful nowadays, you don't need to run any executables or open any attachments anymore. Browsers will usually help you by opening malware-ridden PDFs, Flash objects, as well as DOC files. You will not even know they were opened, since malware does not want to be loaded in the open and gets executed in a hidden windows or javascript objects.
>Once again, don't open email attachments from unknown senders.
>unknown senders
If I was spear phishing, it wouldn't be from an "unknown sender" - it would be "from" "someone within the company" and it would look official and it would be mandatory to read.
For example, a "message from the COO" and the From: being from the COO's address. This is typically public knowledge or it can be gotten with social engineering. Once that's done, all bets are off because lower level employees /on pain of being fired/ are not going to ignore the email, and thus open the Word attachment.
The "From:" header can be anything, Anon, and it can be trivially set.
Go ahead, blame the victim. It doesn't make you any less of a douche.
-- BMO
The "victim" who runs an insecure and widely-targeted system and then won't learn the most basic things about how to secure it?
Yeah. Totally absurd to think anyone would mess with them. Hey I know. Let's tell them they are total victims. Let's tell them the decisions they make have absolutely no bearing on what they experience. They are merely giant leaves carried by the wind with zero control over their lives. Let's embrace total fatalism just because there are bad people! Nope, no free will here, we rejected that because it might mean telling somebody to wise up and quit being such a wide-open target in the face of well-known threats.
Let's do it in an irritable emotional way that can't resist doing some name-calling, you douche, because disagreement with me is the definition of being a douche. People who approach it that way are always the ones with the truth, dontcha know that from their impeccable logic?
Does this apply to docx files, or just doc/docm files? The newer word version have removed macro functionality from the docx files, and require you to use docm files for any of that. 2007/2010 also refuse to run macros on any kind of files from non-trusted locations. Or is this an old-fashioned exploit that relies on a buffer overflow or such in a non-macro document?
if it infected ds roms, that would be friggin brilliant.
world was created 5 seconds before this post as it is.
By root you mean Administrator privileges and it's still not horribly uncommon that users have local Admin rights due to some old junk software they are trying to run that will only run with Admin privileges locally.
I wonder if this bug is XP only or XP/Vista/7. If it Vista/7, will UAC stop it?
This article is light on details and doesn't give Admins alot to work with. Microsoft generally will release KB articles describing the exploit and workaround/prevention methods to prevent it.
and it's still not horribly uncommon that users have local Admin rights due to some old junk software they are trying to run that will only run with Admin privileges locally.
Someone wasnt paying attention during the Vista / 7 coverage. Neither one lets you "just have admin" unless you do a ton of tinkering to completely disable UAC, which in my experience (covering a rather large user base over many companies and households) is incredibly niche. Even if you log in as Administrator, you do not have root unless you go through a UAC prompt.
On XP, you are right, but I believe the XP marketshare is getting smaller every day.
If you don't think you need a firewall on your boarder and you don't have one any way you are doing it wrong. Defense in depth is the only thing that works, think about security at every layer.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Because it's a kernel vulnerability, it's quite unlikely privilege separation will help you.
Im not seeing why it follows that kernel vulns do not require root to do their worst. The kernel interacts with userland as much as anything else, right?
Well if it needs root that pretty much leaves out Vista and 7, unless you have a user that is dumb enough to click yes on "Hey you didn't try to install anything but this (insert huge random number) wants to have admin rights, yes or no" which if they click yes you have worse problems. I'm also gonna assume that Office 2K10 does like 2K7 and by default disables scripting and running code unless you specifically enable it (since TFA is seriously light on any details more than "ZOMG weesa gonna die!") so that removes Office 2K7 and 2K10.
So you are looking at XP users, running as root, accepting Word docs and having Word 2k or 2K3. Not a small number but most businesses shouldn't be letting users run as root and should have all incoming docs scanned for malware so that should seriously cut down the numbers. I wouldn't be surprised if a lot of their infections can't be traced down to luring the suckers, using age old tricks like "Free porn passwords.doc" or "Free WoW keys.doc" or some other classic social engineering trick. Most of the infection I see nowadays can be traced straight to PEBKAC, either wanting something for nothing, ala "New_Hit_Pop_Song.mp3.exe" or trying to see teh boobies ala "Free porn passwords.doc". In the end there is only so much you can do about stupid and still let them have control over their machines.
ACs don't waste your time replying, your posts are never seen by me.
Yea, and firewalling SMTP is a good way to stop you getting any mail.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Wait, what does the OS have to do with the mail client, or with what you can embed into what documents? I mean, if you want to discuss awful clients, we could talk about Mac Mail, or I could simply remind you that Outlook and Word are both available for OSX too and hardly count as MS OS features.
As for "random native code on the internet", Im pretty sure Safari et al support NPAPI plugins, which are essentially the same thing, and perhaps a little easier to install than an ActiveX program in IE9.
The reason is because of crap that listens to undocumented TCP/IP ports, onto which an single UDP packet can take over and start spewing itself all over the internet.
If you want to deserve an informative mod, you might want to cite a source on that. Pics, or it didnt happen.
Also, if OSX is so much better, how come at Pwn2Own Every Single Year, OSX / Safari falls first?
(2010 MIGHT have been a tie, or someone else first, but OSX was done on day 1 regardless-- couldnt find the exact order). You will also note that this is DESPITE Apple's attempt to slip in last-minute fixes prior to the contest.
Listen, if you want to rely on your OS to provide "Security" and "Hacker Prevention", go right ahead. The more folks you convince to use your platform, the more quickly the playing field is leveled, and the quicker we see the reality of the situation with regard to OS security. Hope you have your bootkit removal tools ready.
You don't have a kernel security bug in the word processor, you have it in the kernel.
The word processor makes kernel calls all the time; usually wrapped in crt.dll and cpp.dll calls but it's kernel calls in the end.
Opening a file and locking a file requires a kernel call.
blog.sam.liddicott.com
This is old news. Microsoft Office was probably the largest vector for computer virus infections in the mid 90s. VBA means that opening your document can pretty much do anything since it can hook into Win32 and 99% of users ran as administrators.
Nowadays, Windows users aren't admins by default, and there are some protections to prevent macros from being run without your permission, but all that stuff is still in there. Office has always been a de facto part of the OS because the only way Microsoft could ever compete was to build secret doors into Windows that would allow their apps to do things their competitors couldn't.
Although MS has gotten better about these sorts of criminally incompetent things, they were all built in from the ground floor, so they'll never be completely eliminated until we get Windows "NTNT".
You are in a maze of twisty little passages, all alike.
* golf clap *
I drank what? -- Socrates
The article says kernel exploit. Many user-land calls are wrappers for kernel-land functions. If this was some undocumented API call in Word, then the exploited function might not validate inputs very well.
:(){
I might know it's a fake if there were grammatical errors
In most companies, you'd know it was bogus if it came from the CEO and *didn't* contain grammatical errors...
So your company lost all its marketing, production & engineering documents for your trade secret widgets & it was due to a Microsoft bug.
Is Microsoft responsible for allowing a Word condition allowing executables in or the Windows OS for having holes?
Or is your company responsible for the total loss of its trade secret intellectual property?
Now who do the aggrieved shareholders sue?
#666 Fall prey to exploit like docx
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
SOPHOS
Free Trials Security News/Trends
Stopping Fake Antivirus
How to keep scareware off your network
Download now.
I found that in my inbox a short while ago. At the time, the irony hit me like a sledgehammer - Sophos wants to make me aware of fake AV, Sophos should be warning me against downloading and installing random shit from the internet - so they invite me to download some random shit from the internet which may or may not be a legitimate random shit. Hmmmm. Yeah - I'll save my clicks, thank you . . . .
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
I think you should take your uptight ass for a nice long walk, off of a very short pier. Some of you people seem to have learned nothing in school, except spelling and grammar. It was the only place where you ever earned any praise. Since you are in no way superior to anyone else in any other field, you feel the need to make your inane grammar nazi posts here, there, everywhere.
Sux2bU, huh?
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Yeah, I'm afraid you're right and I don't like it. Antivirus programs now are an incredible PITA already - in many cases, they degrade the system more than do viruses. If this really is tick-tock in the security area, I dread to contemplate what "tock" the security companies will come up with in answer to this kind of thing.
AHHHH-HAA-HAAA!
I don't read much of anything in my inbasket. I guess that makes me a high level employee?
COO: Did you read my email?
Me: Well, hell no! I'm to busy to read mail.
COO: Well, it said you'd be fired if you didn't read it.
Me: Cool. Six months paid vacation, courtesy of the Employment Commission!
COO: To hell with that, I have some shit jobs that need to be done before you go anywhere.
Me: Well, Fuck you very much, Sir!
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
I saw this next to the story:
It is important to note that probably no large operating system using current
design technology can withstand a determined and well-coordinated attack,
and that most such documented penetrations have been remarkably easy.
-- B. Hebbard, "A Penetration Analysis of the Michigan Terminal System",
Operating Systems Review, Vol. 14, No. 1, June 1980, pp. 7-20
This works well, right up until the point where you need an attachment from someone outside the company.
Say... the latest revision to a requirements doc being sent back and forth between a client and a vendor...
Of course nobody reads the FAQ! If people read the FAQ, the Questions wouldn't be so Frequently Asked.
Give the outside consultant VPN access to a restricted share.
:(){
I haven't seen any mention of whether the document attack vector affects OpenOffice and LibreOffice users as well.
I do not fail; I succeed at finding out what does not work.
I like how the AC security expers come out, spit something that sounds almighty, and don't offer any explanation.
Oblivion Awaits
Still the first user created is an administrator of the machine. Most people use that account (home users anyway). They still just press OK to the pop up. Or they want the pop to just go away. I still see people running windows 7 and their machines are malware factories. They said OK to one thing that downloads the rest. If they had created a non admin account and used that non admin account they would only hose that account not the whole machine. I have people that believe that they have to be admin to work. They refuse to do anything unless they are admin on the machine. I am not allowed to fire them. I wish I could.
The number of breaches is growing, the exploits are growing, and stuff like AV is having a higher percentage of failure in dealing with viruses/threats. The cyber 'threat' isn't just real. Its wide and deep, and to be honest, I'm not seeing any viable proper response to it at all. Most attempts to resolve it are akin to sticky plasters over gaping wounds, and the whole landscape tends to be getting worse as time goes by.
The only good answer (today) to rootkits is host-based scanning. Do everything on VMs, and do your AV from the host. Eventually that too will fall, but so far there aren't any credible "VM escape" attacks (there are some interesting beginnings), so you can keep the host safe, and a rootkit on the guest should present no real obstacle to the host. Sadly, there's not much to choose from to scan from a thin hypervisor yet.
Eventually, the only good answer will be to cryptographically lock down the host/hypevisor with something like TC/TPM - if we can ever get such a thing that's not totallly corrputed for DRM purposes!
Socialism: a lie told by totalitarians and believed by fools.
Or use the company's website or intranet to access docs. You could send/phone the remote person an ID to get in.
It would be glorious if that were a phishing attack.
"Your OC has spyware, click here"
Becomes
"Your network has users vulnerable to spyware phishing, click here"
And of course people would fall for it.
Socialism: a lie told by totalitarians and believed by fools.
Fortuantelty, all that scripting stuff is off by default in Office now. Unfortunatly, there are still companies that use the scripting nonsense (especially in Excel), so those users are used to clicking OK on the "enable scripting" pop-up.
Socialism: a lie told by totalitarians and believed by fools.
Lol, my bad I wanted to find an article of viruses that do more shit than this one from attachments, didn't read it too closely, oh well still too lazy to find another one.
I'm probably wrong, but I'd just assume that any modern malware would reach out from the infected machine to hit port 80 on some botnet controller machine. If your goal is to infect vast quantities of end-user PCs, you can bet almost all of them get through to port 80, even if just about everything else is blocked.
Socialism: a lie told by totalitarians and believed by fools.
The most secure operating system in the world is no match for a user with the root password.
SE Linux does a good job of addressing this - of course it's not perfect, and chance are this particular strategy would work even in SE Linux. Note that the user doesn't need the root password for this one. Yuck.
Socialism: a lie told by totalitarians and believed by fools.
I'll be the first to admit, I don't really know much about Duqu in particular or what kernel exploit it used. In my head, I imagined a kernel function that took a LPSTR type input and didn't bother checking to see how long it was (classic buffer overflow). It's probably more complicated than that, but ultimately my bet is that the kernel did not sanitize userland inputs very well.
I guess undocumented API call on account of it being unknown. Most of the known API calls would probably have been poked and prodded by now, so that the vuln wouldn't be unknown. All speculation on my part.
:(){
Based on its contents, that article was written sometime late 2001, but nowhere does PCW show any indication of its original publication date! Now that is true bogosity in action.
For every problem there is a solution that is simple, obvious and wrong.
x86 ASM is horrible on the eyes, so I don't blame you for not wanting to really look at it. Most of my disassembly experience hacking comes from PowerPC (I hack Wii games as a hobby). PowerPC ASM is very easy to read.
However, I would imagine that the exploit should be pretty easy to see from just an ASM dump; it's probably written in ASM as it is, because a compiler wouldn't write good shellcode. Exploits themselves are not terribly complicated, it's the rest of the Duqu architecture that layers the tricks on thick.
This thing has encrypted resources out the wazoo, though. That makes it difficult to read. I hear IDA is a good disassembler for understanding encryption and other obfuscation techniques. But the exploit itself is probably not encrypted.
I doubt they'd be using text input or keypress events. More likely, it's probably some innocuous call, e.g. GetVersionOfWord(LPSTR path). Except that the path variable is strcopied into a stack variable which was only MAX_PATH+1 in length, or something tragic like that.
:(){
I shouldn't have to be admin on my computer at my job. In fact, they took those rights away from me once. The conversation at 2 a.m. was pretty awesome:
"I can't log on to the VPN from here."
"Well they took away my admin rights and the Juniper VPN plug-in won't run."
Yeah, I'd love to come into the office, but I'm in Florida for the weekend. Atlanta's a bit far away, and I'm on my third vodka and tonic."
"I don't have enough money in my checking account to cover a plane ticket that you'll reimburse me for next month. It'd be a few days to get it transferred from my savings account at another bank."
"I guess you'll just have to find someone who can work on it. Have you tried turning it off and on again? Is it definitely plugged in?"
"You've SEEN THAT SHOW?!?! I love you. Oh hold on, people are getting naked in the pool, ciao!"
You know, I'm a linux fanatic and a security freak, but you, sir, are an asshole.
--
BMO
Joe Employee does not maintain his workstation and is not responsible for it. Blaming Joe Employee for opening an attachment with a zero-day exploit from "The COO" is being an asshole.
It's not ad-hominem if the person really is an asshole.
You're an asshole. Deal with it.
--
BMO
You expect Joe Employee to be an expert in IT.
Right off the bat "Should be smart enough to configure Word to not execute attachments"
No, this is the IT department's responsibility.
I'm not going to read any more because your argument is full not doing your job if you are an actual IT support person.
Have a great day.
--
BMO
Not correct. I believe out of the box the "administrator" account is disabled on Vista and 7. They forced people to do non-admin, which was what the entire UAC debacle in vista was about.
The problem I foresee with this is that in Win 7, once you hit yes to a UAC prompt, it caches that yes for a bit. It works kind of like Ubuntu in that respect.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Does Open/Libra Office have the same problem?