SpiderLabs Blog

Trustwave Protections Deployed: Duqu | Trustwave | SpiderLabs | Trustwave

Written by Robert Foggia | Nov 6, 2011 5:00:00 AM

Recent reports of the zero-day exploit found in the Win32k True Type Font Parsing engine and indications that Duqu is using this attack vector for infection can be quite concerning especially if your systems are at risk. For those who may be unfamiliar with this malware, Duqu has the ability to inject itself into a Windows process and communicate with C&C servers. Once installed, the remote access trojan can for example log keystrokes and gather information on the compromised system.

Trustwave Spiderlabs research has investigated the network activity of this threat and we have implemented protection in our IDS, our secure email solution known as mailMAX and UTM platforms. Specifically the IDS will detect the presence of Duqu command and control messages on the network. Our detection methods accomplish this by using identifiers in the HTTP protocol, in addition to known IP addresses of C&C servers. Further protection can be achieved by using Trustwave mailMAX and/or UTM products which contain signatures in the AV engine that detect Duqu binaries. Below is a summary of the Duqu coverage for Trustwave products.

Product Threat Mitigation
mailMax AV Signatures deployed on 10-19-2011 detect Duqu binaries.
Intrusion Detection System (IDS) Rules deployed on 11-02-2011 detects a common user-agent and IP addresses of C&C servers in Duqu traffic.
Unified Threat Management (UTM) AV Signatures deployed on 10-19-2011 detect Duqu binaries.

Due to the recent dicovery of the True Type Font Parsing vulnerability in the Windows kernel (CVE-2011-3402), further action is required to mitagate against Duqu exploitation. The remote execution flaw in the True Type Font Parsing engine allows a malicious Word document to aid in the installation of the Duqu virus. Microsoft currently recommends end-users to temporary disable the dynamic link library used for displying TruType fonts. More information regarding the affected OS and remediation steps for this issue can be found at the Microsoft's security page:

http://technet.microsoft.com/en-us/security/advisory/2639658

Alternatively, the so called "Fix it" solution from Microsoft can be downloaded at:

http://support.microsoft.com/kb/2639658