CVE-2011-3402

Stuxnet, Sality, Gauss, Flame still infecting your unpatched boxen

Nearly 20 million computers remain infected with malware targeting a vulnerability first targeted four years ago by the Stuxnet worm. The flaw (CVE-2010-2568) was a Windows operating system bug in the way shortcuts worked allowing quiet download of the random dynamic library on Win Server 2003 and XP through to version 7. Since July 2010 it has continued to power the Sality worm, and fueled Stuxnet and its derivatives Flame and Gauss on unpatched machines. The Red October malware emerged in Janu...

This section of the report forms part of the Kaspersky Security Bulletin 2013 and is based on data obtained and processed using Kaspersky Security Network (KSN). KSN integrates cloud-based technologies into personal and corporate products, and is one of Kaspersky Lab’s most important innovations. The statistics in this report are based on data obtained from Kaspersky Lab products installed on users’ computers worldwide and were obtained with the full consent of the users involved. The mobi...

The first quarter of 2013 turned out to be a busy time in IT security. This report will address the most significant events. At the very beginning of the year, Kaspersky Lab published a significant report with the results of a study on the global cyberespionage operation known as Red October. These attacks targeted various government agencies, diplomatic organizations and companies around the world. Analyzing the files and reconstructing the structure of the attack took several months. However, ...

Blackhole gang snap up latest 0-days to build a better mousetrap

The brains behind the Blackhole Exploit Kit is using profits from the hacking toolbox to buy up security exploits and create a far more formidable product. The ubiquitous Blackhole kit is usually installed on compromised websites and uses vulnerabilities in web browsers and other software to inject malware into visitors' PCs. It is widely available through underground forums, and is affordable and reliable. Access to the technology is rented out for about $700 a quarter or $1,500 for a year, oft...

Busy Wednesday for BOFH

It'll be all hands to the pumps in IT departments around the globe as Microsoft has issued this month's round of patches. There are 23 flaws to be fixed. The seven patches include three critical issues, affecting Microsoft Windows, Office, Silverlight, and the .NET Framework. One patch, MS12-034, sorts ten flaws, some of which are publicly disclosed. “Duqu was only designed to exploit specific instances of CVE-2011-3402 that were addressed last year. We have not received any information to ind...

With 2011 coming to its end, it makes sense to sit back and take a look at what’s been happening over the past 12 months in the IT Security world. If we had to summarize the year in a single word, I think it would have to be “explosive.” The multitude of incidents, stories, facts, new trends and intriguing actors is so big that it makes it very hard to come up with a Top-10 of security stories of 2011. What I was aiming for with this list was to remember the stories that also indicated maj...

The driver is the first component of Duqu to be loaded in the system. As we discovered, the driver and other components of malware are installed with a dropper exploiting a 0-day vulnerability (CVE-2011-3402). The driver is registered in the HKLMSystemCurrentControlSetServices registry path. The exact name of the registry key varies in different versions of Duqu drivers. Once the driver is loaded, it decrypts a small block that contains its registry key and the name of the registry value to be r...

As we informed you earlier, we’ve recently been conducting an investigation into a number of incidents in connection with a Duqu trojan infection. Thankfully we’ve been able to make some headway in getting to the bottom of Duqu and putting together several of the previously absent components without which it has been difficult to understand what’s actually been going on. First things first, we would like to express our sincere thanks to the specialists at CERT Sudan. They’ve been providi...

As we continue to investigate the Duqu targeted attack, there is new information that suggests the malware was created to spy on Iran’s nuclear program. Some background and facts: Back in April this year, Iran announced it was victim to a cyber-attack with a virus called “Stars.” This article offers some additional details on that attack. We can now confirm that some of the targets of Duqu were hit on April 21, using the same method involving CVE-2011-3402, a kernel level exploit in win32k...

This is an active investigation by Kaspersky Lab’s Global Research & Analysis Team. We will be updating this FAQ document as necessary. Duqu is a sophisticated Trojan which seems to have been written by the same people who created the infamous Stuxnet worm. Its main purpose is to act as a backdoor into the system and facilitate the theft of private information. This is the main difference when compared to Stuxnet, which was created to conduct industrial sabotage. It’s also important to p...