Last-minute paper: Duqu 2.0 Win32k exploit analysis

Thursday 1 October 11:30 - 12:00, Green room

Jeong Wook Oh (Microsoft)
Elia Florio (Microsoft)

  download slides (PDF)

The sophisticated Duqu 2.0 cyberespionage attack, discovered by Kaspersky Lab, was named as such due to its close similarity to the original Duqu malware. The full set of the malware and attack are very complicated. It has multiple modules, which include advanced exploits from previously unknown vulnerabilities.

In this talk, Microsoft wants to share some of the very interesting findings we had while investigating the Win32k exploit included in the Duqu 2.0 malware. This will shed light on what the threat actors are capable of, and what their technical abilities are like.

First, the vulnerability Duqu 2.0 used for the elevation of privilege (EOP), is a Win32k use-after-free bug (CVE-2015-2360). With the use-after-free condition, the attacker created a very reliable and portable exploit using various techniques.

Second, the attacker obtained full read-and-write memory access to the kernel using a relatively simple vulnerability. With the read-and-write ability, the attackers injected their shellcode into the kernel space and bypassed the Supervisor Mode Execution Protection (SMEP) feature to launch it directly in the kernel ring-0 level.

All the techniques used are unique, and we might see similar advanced persistent threat (APT) attack methods in the future. Sharing these findings can benefit the security software industry's understanding of the current attack technique and the trends, so that we can develop strategies to help protect people from these types of attacks.

Click here for more details about the conference.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.