Son of Stuxnet Found in the Wild
Diagram of the Duqu malware, courtesy of Symantec.
A little more than one year after the infrastructure-destroying Stuxnet worm was discovered on computer systems in Iran, a new piece of malware using some of the same techniques has been found infecting systems in Europe, according to researchers at security firm Symantec.
The new malware, dubbed “Duqu” [dü-kyü], contains parts that are nearly identical to Stuxnet and appears to have been written by the same authors behind Stuxnet, or at least by someone who had direct access to the Stuxnet source code, says Liam O Murchu. He’s one of the leading experts on Stuxnet who produced extensive analysis of that worm with two of his Symantec colleagues last year and has posted a paper detailing the Duqu analysis to date.
Duqu, like Stuxnet, masks itself as legitimate code using a driver file signed with a valid digital certificate. The certificate belongs to a company headquartered in Taipei, Taiwan, which Symantec has declined to identify. F-Secure, a security firm based in Finland, has identified the Taipei company as C-Media Electronics Incorporation. The certificate was set to expire on August 2, 2012, but authorities revoked it on Oct. 14, shortly after Symantec began examining the malware.
The new code does not self-replicate in order to spread itself — and is therefore not a worm. Nor does it contain a destructive payload to damage hardware in the way that Stuxnet did. Instead, it appears to be a precursor to a Stuxnet-like attack, designed to conduct reconnaissance on an unknown industrial control system and gather intelligence that can later be used to conduct a targeted attack.