You never know what kind of tidbits you can mine from Twitter as your watching the timeline go by. Today it was a tweet from the official Microsoft Security Response Center (MSRC) account:
As reported by ZDNet’s Ryan Naraine on the Zero Day blog this attack comes from an infected Microsoft Word document.
One version of the attack was triggered by a rigged Microsoft Word .doc that probably included some social engineering and required the target to open the booby-trapped file. However, since this is a kernel vulnerability, it is possible that other attack vectors have been/could be used.
The group that initially discovered the original Duqu binaries, CrySyS, has since located an installer for the Duqu threat. Thus far, no-one had been able to recover the installer for the threat and therefore no-one had any idea how Duqu was initially infecting systems. Fortunately, an installer has recently been recovered due to the great work done by the team at CrySyS.
The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution. We contacted Microsoft regarding the vulnerability and they’re working diligently towards issuing a patch and advisory. When the file is opened, malicious code executes and installs the main Duqu binaries. The chart below explains how the exploit in the Word document file eventually leads to the installation of Duqu.
As Microsoft works on a security bulletin concerning this issue the best advice is the same you should be following every day. Don’t open unsolicited documents from anyone and be 100% sure your software is up to date.
Keep an eye on the @MSRCResponse Twitter account for more information.