Duqu Server Moved to Belgium

Tuesday, November 8, 2011 @ 12:11 PM gHale


The command and control (C&C) server that communicates with the Duqu Trojan moved to Belgium in an attempt to evade detection, said security researchers at Symantec.

The firm said in a blog post all samples of Duqu code recovered previously were configured to contact a server hosted in India.

RELATED STORIES
Microsoft Working on Duqu Fix; Workaround Out
Duqu Installer Exploits a Zero Day
Looking for Duqu’s Real Target
ICS Threat Brewing; Target Unclear

“This particular Duqu file [however] was configured to communicate with a server in Belgium with the IP address ‘77.241.93.160’,” it added.

“The server has since been taken offline. We appreciate the co-operation from the hosting provider [Combell] in taking action immediately after being contacted.”

Symantec also said the zero-day vulnerability associated with the Trojan is through a Microsoft Word document and, if successful, installs a Microsoft Word document.

The security vendor added that six possible organizations in eight countries including France, Vietnam and Ukraine have confirmed infections.

Late on Thursday, Microsoft released a temporary workaround for the kernel vulnerability which allows Duqu to infect machines.

The vulnerability in the Win32k TrueType font parsing engine, if exploited, could allow the attacker to “run arbitrary code in kernel mode,” Microsoft said.

Microsoft is working on a “high quality” update as well, although it will not be ready in time for this month’s Patch Tuesday.

Duqu shares much of the same code as the Stuxnet worm.

Some believe the same authors also wrote Duqu, while other experts said it would be a pointless strategy for these cyber criminals because many security vendors already block such code.



Leave a Reply

You must be logged in to post a comment.