Symantec has a 0day exploit in virtually all versions of Windows discovered that was abused by the malware Duqu. This Stuxnet-like trojan is possible used to spy on a supplier of the army, which also operates in the Netherlands.
The trojan appears to exploit a previously discovered flaw in Windows that virtually all the versions of the operating system. Microsoft confirms the problem and says soon with a solution, which may be even for the monthly patchronde is distributed. That patchronde is next Tuesday already, which indicates how seriously the vulnerability in the Windows is considered. In the meantime, there is a temporary workaround.
According to Symantec, is the number of confirmed infections with the Duqu malware is still limited, but researchers have, however, infections in a number of countries observed, including the Netherlands. In total, Symantec has confirmed infections in eight countries discovered. In addition to the Netherlands, there are also confirmed infections found in France, Switzerland, Ukraine, Iran, Sudan and Vietnam.
Also, there are reports of infections in Hungary, Indonesia and the United Kingdom. What is striking is that these infections seem to limit it to six networks, which Symantec indicates that it is not six separate companies have to go. The researchers say not on the basis of the discovered ip addresses to help identify which company or which companies.
Salient detail is that Symantec discovery publishes less than a week after an attack on the company Acal BFI, a major European supplier of the army. Acal BFi is active in many of the by Symantec confirmed countries. Previously reported Tweakers.net about this company when it was discovered that hackers at an earlier time, a successful attack carried out on this company. The attackers obtained access to the extranet and sent mails to employees, which may contain malware.
This approach seems to fit in with the way how the Duqu malware to spread. Symantec says they have discovered how the Duqu malware in one case, the distributed attackers distributed a Word document in which malicious code was hidden.
This code makes use of a hitherto unknown vulnerability in the way Windows TrueType fonts can be handled, that an attacker puts code on the kernel level to run. The vulnerability can, probably, also in other programs than Word to be abused; and even on websites. It is not clear whether the Word method, also in other cases is applied. The Windows Server version without a gui is not affected by the vulnerability, because that no fonts need to parse.
If victims via the Word document were infected, communicated the infected computer via a peer-to-peer with commandoservers of the attackers. In any case one of those servers would be in Belgium have been. The Duqu malware was in mid-October by Symantec discovered, but the malware seems to be more advanced than when the discovery was adopted.
Overview of countries with Duqu infections. Red is confirmed, orange is unconfirmed.