Here’s a killer joke. The authors of the Duqu malware are apparently big fans of the Showtime series ‘Dexter,’ because they’ve inserted a reference to it in the code of the malware’s exploit, Russian cybersecurity firm Kaspersky Labs has discovered.
The reference was found in a phony custom font file used in a decoy Microsoft Word document that the hackers emailed as an attachment to what cybersecurity experts believe was the first victim, a company whose name has not yet been disclosed.
The phony font file was called “Dexter Regular” and contained the message “Copyright (c) 2003 Showtime Inc. All rights reserved. DexterRegularDexter RegularVersion 1.00 Dexter is a registered trademark of Showtime Inc.”
The “Dexter Regular” font file contained the shellcode of the malware, that is, the code that compromised a previously unknown vulnerability in Windows’ embedded font rendering engine.
There is a legitimate custom font known as “Dexter Regular,” but it was created by font designer Alex Kaczun and is not from Showtime, let alone related to the Duqu virus.
Kapersky’s chief security expert Alex Gostev also notes that the IP address from which the emails were sent is located in Seoul, South Korea, but he said that at this time, the firm believes the “computer was infected earlier by some kind of malicious program and was used unknowingly (to its owner) as a proxy.”
Duqu, which first appeared in April, has been compared by some cybersecurity experts to the infamous Stuxnet worm of 2010 that reportedly damaged Iranian nuclear centrifuges. There’s a running debate as to just how similar the two are, and whether or not the same people were behind both worms.
But there’s no question that Duqu targeted the computers of industrial companies around the globe, particularly in Asia and Europe. At least six organizations in eight countries have been infected with the malware, according to American cybersecurity firm Symantec. Authorities in India recently shut down a server that had apparently been communicating with Duqu-infected machines.
Microsoft recently released a workaround that would stop the malware from communicating with hackers, but it has yet to release a full patch to remove it and plug the hole, saying “the associated risk is minimal for the public.”
