Skip to content

Duqu Font Parsing Exploit Goes Mainstream, Delivers Ransomware


Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

20121221_duqu_text_cropA year-old exploit, previously employed by the W32.Duqu remote-access Trojan, is now being used to deliver ransomware in drive-by download attacks. Happy armageddon day, everyone!

The TrueType Font Parsing Vulnerability (also known as CVE-2011-3402) was (in October, 2011, when it was discovered and first publicized) a serious zero-day exploit that, at the time, affected all versions of Windows. When first discovered, the exploit really was one of those rare cats and dogs living together, mass hysteria-scale threats, because it not only permits those who yield it to force computers to download and run arbitrary programs, but also to remotely create user accounts on the victim’s computer.

Pretty nasty stuff. Microsoft’s security bulletin also said there’s one silver lining: The exploit only works if the victim visits a Web site hosting the exploit on his or her own — it can’t be done without that human interaction, and “an attacker would have to convince users to visit the Web site” hosting the exploit. Or, as is the case here, they could just put the exploit on a site that people might want to visit, anyway, and then wait for the cash to start rolling in.

Microsoft issued its MS11-087 patch, which (once installed) prevents the exploit from functioning on updated PCs, a year ago almost to the week. But that hasn’t stopped some enterprising malware distributors from trying to use it anyway, because (as was demonstrated during the Conficker worm outbreak) the mere existence of a patch — even one that’s a year old — doesn’t mean that every computer user in the world is going to install it.


Last week, the malware analysis community discovered a number of compromised, legitimate Web sites; Not a whole lot new, there. The compromised sites had been modified so that code from another server (geolocated in Washington, DC) would load in an iFrame when anyone visited the legit site. As you can probably guess, the iFrame started the ball rolling on the exploit. The ransomware malware itself came from a third server, located in Saint Petersburg, Russia.


Just to make certain that the infection takes hold, after trying to use the 3402 exploit, the page then also uses the Blackhole Exploit kit to push down the same 254.66KB malware binary. On my vulnerable testbed, the infection with the 3402 exploit took precisely 3 seconds, while Blackhole took 27 seconds to accomplish the same (redundant, in this case) task.


As we’ve seen in the recent incidents, the initial ransomware phone-home communication usually involves performing a geolocation of the infected computer’s IP address, then delivery of the ransomware’s super-scary, full-screen image.


I happen to find myself in the United Kingdom at the moment, so when I deliberately infected a testbed by visiting one of these compromised sites, I was amused to discover that the ransomware displayed not a dire warning message purportedly from the FBI or US Department of Justice, but from Scotland Yard’s famed Police Central eCrime Unit (also known as PCeU), the British nationwide cyber-investigation task force known for, among other high-profile busts, its takedown of some UK ringleaders of attacks by Anonymous and LulzSec.


Now, the PCeU-themed scare-mongering that popped into the infected machine isn’t especially new, but it was ironic that on the same day that I infected my testbed with this malware, the PCeU announced that they had arrested three people who were allegedly responsible for spreading the ransomware in the UK. Coincidentally, the three accused fraudsters were arrested in the city of Stoke-on-Trent, where I was headed to spend the holidays with family, on the day of my arrival. Did those arrests have any effect whatsoever on the activity of the malware on my testbed? Not one iota.


The PCeU-themed ransomware is just as nonsensical as the ransomware which purports to originate from the FBI or DoJ. It alleges that the user of the infected computer has committed one of six heinous criminal acts, and demands tithing of £100 .

These horrible crimes include gambling (which is not only legal in the UK, but openly advertised on television and in the windows of legal betting parlors in every town I’ve visited) and neglect computer use, entailing serious consequences (which apparently means that you allowed your computer to become infected with a virus). Talk about circular logic; this is the snake oil that ate its own tail.


As for detecting Trojan activity, we found that the malware phoned home to its command-and-control server over port 443/tcp, and exchanged binary data, but did not engage in the normal SSL encryption handshake we’d expect to see. Using the Path Bar query of port_responder=”443″ and application_id!=”SSL” we saw several data flows to, on the same network with a very poor reputation for malicious activity in Saint Petersburg hosting the malware. You can draw your own conclusions about whether this is a network you want anyone connecting to.

Comments are closed.

%d bloggers like this: