Last-minute paper: Duqu 2.0 Win32k exploit analysis

Thursday 1 October 11:30 - 12:00, Green room

Jeong Wook Oh (Microsoft)
Elia Florio (Microsoft)

  download slides (PDF)

The sophisticated Duqu 2.0 cyberespionage attack, discovered by Kaspersky Lab, was named as such due to its close similarity to the original Duqu malware. The full set of the malware and attack are very complicated. It has multiple modules, which include advanced exploits from previously unknown vulnerabilities.

In this talk, Microsoft wants to share some of the very interesting findings we had while investigating the Win32k exploit included in the Duqu 2.0 malware. This will shed light on what the threat actors are capable of, and what their technical abilities are like.

First, the vulnerability Duqu 2.0 used for the elevation of privilege (EOP), is a Win32k use-after-free bug (CVE-2015-2360). With the use-after-free condition, the attacker created a very reliable and portable exploit using various techniques.

Second, the attacker obtained full read-and-write memory access to the kernel using a relatively simple vulnerability. With the read-and-write ability, the attackers injected their shellcode into the kernel space and bypassed the Supervisor Mode Execution Protection (SMEP) feature to launch it directly in the kernel ring-0 level.

All the techniques used are unique, and we might see similar advanced persistent threat (APT) attack methods in the future. Sharing these findings can benefit the security software industry's understanding of the current attack technique and the trends, so that we can develop strategies to help protect people from these types of attacks.

Click here for more details about the conference.