Threat Research

Hot on the trail of Duqu with Microsoft’s MAPP

Threat Intelligence Team, 11 November 2011

Hot on the trail of Duqu with Microsoft’s MAPP

The Duqu malware has raised the specter of Stuxnet II, with some in the security community claiming that this new Trojan is a reverse-engineered copy of Stuxnet – the infamous malware that may have sold more newspapers than it damaged nuclear centrifuges. Unlike Stuxnet, Duqu is designed to steal data from the targeted organization, not just destroy equipment. First noticed this summer, Duqu self-destructed after 30 days, than vanished again into cyberspace.

But, some traces were caught, enough for researchers to learn that Duqu was spread by emailed document files and attacked via a new vulnerability in the way Windows parses True Type fonts. And that is where Microsoft went to work to MAPP out the solution.

MAPP stands for Microsoft Active Protection – and this is how it works. Microsoft passes information on new vulnerabilities such as the True Type font issue to selected software vendors in its MAPP program. Firms such as AVAST get a heads-up so we can get detections prepared ahead of the public zero-day exploit-report. With MAPP, Microsoft is reducing the possibility and space for a zero-day exploit to break out and spread quickly. Microsoft does more than just hand out information, they also rate each vendor by reaction time with a list of those responding within 48 and 96 hours.

For Duqu, we made our complete detection within 24 hours. Here you can find our web page which tracks these zero day exploits: And, here are the 48 and 96 hour lists from Microsoft: If only they had a 24 hour list, we would be on it. For the techies out there, here is the description of the vulnerability:

With this specific detection of Duqu, we are not yet seeing exploits based on this. Regardless, we – and our users – are prepared.

Information also travels from the AVAST Virus Lab over to MAPP at times. This summer we had an early malware sample of another vulnerability. Then on a Friday morning, thousands of malware samples leveraging that bug started to appear in our statistics (successfully caught by our heuristic detection). This lasted for two more days and then on Monday, the malware simply disappeared. We immediately contacted Microsoft and confirmed the exploit being used in the wild and shared our malware samples with them. The malware appeared twice more, always on Friday and during the weekend, which is a hint that it was probably a targeted attack on non-business users. But that is another story.