Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

5 Things To Do To Defend Against Duqu


Whether or not Duqu is related to Stuxnet's authors or its source code is the least of your worries if your organization ends up in the bull's-eye of this new targeted attack. Microsoft says it considers the threat "low risk" at this point. Trouble is, the names of the organizations that have been targeted thus far have been kept confidential, so we don't know just what Duqu is after exactly, and whether it's focused on a particular industry or region.

"I don't expect Duqu to stop. It looks to be manned on the inside and not on autopilot--they are actively setting up new modules, etc., to keep the operation alive," says Don Jackson, a director with Dell Secureworks Counter Threat Unit. "So [right now] it's an intelligence game."

Even so, there are still some things organizations can do to protect themselves while the world waits for more information on this attack, as well as for Microsoft's patch for the zero-day flaw that was exploited and used with Word to spread the infection. Microsoft late Thursday issued a "hot fix" along with an advisory about Duqu and assured users that antivirus vendors in its MAPP program would soon be updating their products with Duqu signatures very soon.

Even if you're not a certificate authority or a manufacturing firm--the two industries cited publicly so far as having Duqu victims--security experts say there are some steps you can take to help protect your infrastructure from this new targeted attack.

1. Install the just-released "hot fix" from Microsoft and workaround.

Microsoft is working on a patch, and it will do so via its regular security bulletin release--just not in time for next week's batch. So in the meantime, Microsoft today began offering a hot fix for the threat that blocks access to t2embed.dll used in the zero-day attack in Duqu.

The flaw lies in the Win32k TrueType font parsing engine, according to Microsoft: "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware," Microsoft said in an advisory Thursday.

Read the rest of this article on Dark Reading.