Hungarian researchers have discovered a previously unknown Windows kernel vulnerability that is used by the installer for Duqu, the Stuxnet-like Trojan first detected in October. The researchers at the Laboratory of Cryptography and System Security at Budapest University of Technology and Economics (CrySyS), who were the first to discover the Duqu virus, have reported the vulnerability to Microsoft and other organizations, and a patch is in development.
According to a Symantec analysis of the exploit, Duqu’s installer was delivered to target systems embedded in a seemingly legitimate Microsoft Word document. When the document is opened, the installer embedded in the document is activated, and executes Windows shell code to install the malware’s .DLL and driver file to the system by hijacking Windows’ services control manager.
The shell code discovered in the Duqu worm by CrySyS was written to only allow installation of the virus during an eight-day period in August. Once the virus is installed, it can spread to other computers over networked file shares, and connect back to a command-and-control network over the Internet. Researchers found that when the virus infects systems not directly connected to the Internet, it uses a file-sharing protocol to connect with computers that have Internet access to form a relay back to the command and control network.
So far, confirmed Duqu infections have been reported in France, the Netherlands, Switzerland, the UK, Ukraine, Austria, Hungary, Iran, Sudan, Vietnam and Indonesia.
The virus communicated with servers in Belgium, which have been shut down. But it’s unknown if the virus has since been modified and used for other attacks.
http://arstechnica.com/business/news/2011/11/researchers-discover-zero-day-windows-exploit-in-duqu-virus.arsA zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability.
The term derives from the age of the exploit. A "zero day" attack occurs on or before the first or "zeroth" day of developer awareness, meaning the developer has not had any opportunity to distribute a security fix to users of the software
http://en.wikipedia.org/wiki/Zero-day_attack