Anatomy of Duqu exploit

Ivan Teblin Kaspersky Lab

  download slides (PDF)

Everybody's heard about Duqu, haven't they? While all these interesting topics about the different stages of its penetration into the system and various guesses about the people and organizations behind the malware are closely investigated, this particular research focuses on the very beginning of the intervention's storyline: delivering an active CVE-2011-3402 exploit from email directly into the Windows kernel.

One popular Internet assumption about the Duqu exploit was its dependency on a new vulnerability in Microsoft Word parsing OLE2 document format and allowing CVE-2011-3402 to be activated in the kernel. In turn, the newer OpenDocument format (.docx) was considered to be more secure, probably thanks to this misconception. This presentation will prove that many formats (including these two) can be a trigger of the same kind of vulnerabilities as long as we have a) ordinary clicking users b) a suitable clickable format c) an exploitable kernel-based parser such as TTF processor. The real mechanics of the exploit will be investigated and several attacking scenarios will be demonstrated on live samples containing safe demo-shellcode.

We'll also investigate another interesting attack vector by applying the same technique to HTML5 web pages and email bodies. As the demonstration will show distinctly reacting browsers, we'll analyse the difference in their behaviour.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.