Duqu malware spread by Microsoft Word exploit

The Duqu infection that has been giving security analysts the world over cause for concern has been found to use Microsoft Word vulnerabilities to help spread itself around.

Considered to be a new iteration of the Stuxnet worm that appeared last year in Iranian Nuclear power station computers, Duqu has been sweeping through offices in the UK, France, Iran, Sudan, Vietnam and more, with infected word documents being used to spread the worm.

It was believed that Duqu's surfacing could also mean that there would be a new round of hacks, but Symantec believes that Duqu works in a different way from its predecessor.

"Stuxnet was about spreading as far and as wide as possible to hunt down systems that could pass on control of industrial organisations - such as nuclear power plants," said Greg Day, Symantec's director of security strategy.

"Duqu has specifically targeted a number of organisations looking to scan across their internal systems, gather intelligence and pass it back out.

"The sort of things it's collecting are design documents and other information that could be the reconnaissance for a further attack."

The sophistication of the coding suggests that if the US didn't have a hand in crafting it, then it likely originated from Russia or China - though as it stands the identity of those involved remains unknown.

What is known, however, is that due to the similarities between Duqu and Stuxnet, there had to have been some involvement with the original creators. Whether the Stuxnet code was stolen by the Duqu makers or given voluntary is unclear - and some have suggested that the creators of Stuxnet and Duqu are the same people.

Now that it has been confirmed that Word vulnerabilies are behind most infections, Microsoft is being pushed to develop a fix.

"Microsoft is working with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware," a company statement said.

"We will be providing a security update for customers through our update process."