Four years is a long time.  Yet that may be the amount of time that attackers spent on creating and perfecting Duqu (see Nov 4 2011 blog).

   Security researchers at Kaspersky Lab have been examining Duqu based on samples provided by CERT (Computer Emergency Response Team) in Sudan that were used in three attacks against targets in that country earlier this spring.  Kaspersky estimates that some of the Duqu components date as far back as 2007.  An analysis of the attack indicates that the initial attack point was a spear phishing e-mail {Chapter 2 Security+ 4ed} from a pretender requesting a joint business venture. The recipient was asked to open a Microsoft Word e-mail attachment that used the font Dexter Regular and even had the company's name in the filename. When the victim opened the malicious attachment it exploited a zero-day vulnerability in the Truetype font to become active. Interestingly, it then did nothing until it detected there had been no keyboard or mouse activity for 10 minutes, at which time it loaded a driver onto the system that would then install additional modules to infect other computers, collect information and capture keystrokes.

   A detailed analysis of Kaspersky's research--which makes for some very interesting reading--can be found at http://www.securelist.com/en/blog/208193243/The_Duqu_Saga_Continues_Enter_Mr_B_Jason_and_TVs_Dexter.  In addition, security researchers at the Laboratory of Cryptography and System Security (CrySyS) at the Budapest, Hungary University of Technology and Economics has made available a free downloadable toolkit that can detecting Duqu.  It's at http://www.crysys.hu/duqudetector.html.

   Stay secure!

http://www.cengage.com/community/infosec