New Stuxnet-Like Worm DiscoveredResearchers Label the New Threat "Duqu"
Researchers at the lab, which Symantec did not identify, named the new worm Duqu [dyÃ¼-kyÃ¼] because it creates files with the file-name prefix ~DQ. It shares a great deal of code with Stuxnet; however, the payload is completely different, Symantec researchers say.
"Instead of a payload designed to sabotage an industrial control system, the payload has been replaced with general remote access capabilities," the blog says. "The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries. The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party. While suspected, no similar precursor files have been recovered that predate the Stuxnet attacks."
Symantec says Duqu is essentially a harbinger to a future Stuxnet-like attack. Stuxnet, discovered in June 2010, gained fame when it was credited with crippling Iranian uranium enrichment centrifuges. Israel and/or the United States are prime suspects in the creation of Stuxnet, which targets Siemens industrial software on equipment running on the Microsoft Windows operating system (see What About Stuxnet?).
The newly discovered worm was written by the same authors of or those who have access to the Stuxnet source code and appears to have been created since the last Stuxnet file was recovered, Symantec says. "Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party," the blog says. "The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility."
Symantec says the attackers used Duqu to install a so-called infostealer to record keystrokes and gain other system information. "The attackers were searching for assets that could be used in a future attack," the blog says. "In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available in all cases. Two variants were recovered, and in reviewing our archive of submissions, the first recording of one of the binaries was on Sept. 1. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010."
The blog says one of the variant's driver files was signed with a valid digital certificate that expires next Aug. 2. The digital certificate, belonging to a company headquartered in Taipei, Taiwan, was revoked last Friday.
Symantec says it had recovered additional variants of Duqu from another European organization with a compilation time of Monday, Oct. 17; however, these variants have yet to be analyzed.