The hackers behind the Stuxnet-like Duqu Trojan moved the command and control (C&C) server which communicates with the malware to Belgium in an attempt to evade detection, according to security researchers at Symantec.
The firm noted in a blog post that all samples of Duqu code recovered previously were configured to contact a server hosted in India.
“This particular Duqu file [however] was configured to communicate with a server in Belgium with the IP address ’220.127.116.11′,” it added.
“The server has since been taken offline. We appreciate the cooperation from the hosting provider [Combell] in taking action immediately after being contacted.”
Symantec also revealed that the zero day vulnerability associated with the Trojan is exploited through a Microsoft Word document and if successful then installs a Microsoft Word document.
The security vendor added that six possible organisations in eight countries including France, Vietnam and Ukraine have confirmed infections.
Late on Thursday, Microsoft released a temporary fix for the kernel vulnerability which allows Duqu to infect machines.
The vulnerability in the Win32k TrueType font parsing engine, if exploited, could allow the attacker to “run arbitrary code in kernel mode”, according to Microsoft.
Redmond said it is working on a “high quality” update as well, although it will not be ready in time for this month’s Patch Tuesday.
Duqu has been hitting the headline regularly since it was discovered a fortnight ago as it shares much of the same code as the infamous Stuxnet worm.
Some believe it was written by the same authors, although other experts have argued that because many security vendors already block such code, it would be a pointless strategy for these cyber criminals.
by Phil Muncaster Post in V3
Source : Exploit-Id