A new cyber-threat, Duqu, has been identified as the possible “new Stuxnet”. Stuxnet was the cyber-threat that targeted industrial equipment at a nuclear plant last year.
According to Symantec Security Response’s official blog, on October 14, 2011, a research lab with strong international connections alerted us to a sample that appeared to be very similar to Stuxnet. They named the threat “Duqu” [dyü-kyü] because it creates files with the file name prefix “~DQ”.
“The research lab provided us with samples recovered from computer systems located in Europe, as well as a detailed report with their initial findings, including analysis comparing the threat to Stuxnet, which we were able to confirm. Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose,” according to Symantec.
“Duqu is essentially the precursor to a future Stuxnet-like attack,” it warns. “The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered.
“Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.”
Symantec explains that Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). In addition, the threat does not self-replicate, but was highly targeted toward a limited number of organisations for their specific assets.
Symantec’s study of the threat shows that the attackers used Duqu to install another infostealer that could record keystrokes and gain other system information – they were searching for assets that could be used in a future attack.
The company points out that, while Duqu shares a great deal of code with Stuxnet, the payload is completely different.
“Instead of a payload designed to sabotage an industrial control system, the payload has been replaced with general remote access capabilities. The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries. The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party. While suspected, no similar precursor files have been recovered that predate the Stuxnet attacks.”