Researchers discover zero-day Windows exploit in Duqu virus

Hungarian researchers have discovered a previously unknown Windows kernel vulnerability that is used by the installer for Duqu, the Stuxnet-like Trojan first detected in October. The researchers at the Laboratory of Cryptography and System Security at Budapest University of Technology and Economics (CrySyS), who were the first to discover the Duqu virus, have reported the vulnerability to Microsoft and other organizations, and a patch is in development.

According to a Symantec analysis of the exploit, Duqu’s installer was delivered to target systems embedded in a seemingly legitimate Microsoft Word document. When the document is opened, the installer embedded in the document is activated, and executes Windows shell code to install the malware’s .DLL and driver file to the system by hijacking Windows’ services control manager.

The shell code discovered in the Duqu worm by CrySyS was written to only allow installation of the virus during an eight-day period in August. Once the viru