FAQ: What's the big deal about Duqu?
The recently discovered Duqu Trojan could pose a grave threat to the industrial control systems
The recently discovered Duqu Trojan has received considerable attention from the security research community. Here's why.
What is Duqu? It's a Remote Access Trojan (RAT) that is designed to steal data from computers it infects. It was discovered by the Laboratory of Cryptography and Systems Security (CrySys) at Budapest University.
[ Also on InfoWorld: Open source toolkit tracks down Duqu malware. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
RATs are pretty common these days. Why is so much attention to Duqu? Duqu is believed to have been created by the same people who wrote Stuxnet, the worm that was used to disrupt operations at Iran's Natanz nuclear facility last year. A lot of security analysts believe that it is a precursor to the next Stuxnet and poses a grave threat to the industrial control systems that manage equipment at critical infrastructure facilities such as power plants and water treatment facilities.
What exactly is the link between Stuxnet and Duqu? Duqu and Stuxnet share a lot of common code and functions. While Stuxnet binaries have been floating around for some time, the actual source code itself has not been publicly available. The fact that Duqu contains Stuxnet code has led some to believe that Duqu's authors either have direct access to Stuxnet code -- or were the authors of Stuxnet. Duqu also uses an installation driver that is signed using a stolen or forged digital certificate belonging to a Taiwanese company called JMicron. Stuxnet used certificates belonging to the same company.
So, Duqu is targeted at industrial control systems then? Sort of, but not quite in the same manner as Stuxnet. Duqu appears designed to steal information from vendors of industrial control systems. It is an intelligence-gathering agent. Stuxnet on the other hand was designed to cause actual physical damage to industrial control systems. Security vendor Symantec and others believe that Duqu is being used to steal information that can eventually be used to craft another Stuxnet.
How serious a threat does Duqu really pose? That depends on whom you ask. Companies such as Symantec and Kaspersky have described Duqu as a highly sophisticated piece of malware likely created by a nation state for the specific purpose of going after industrial control systems. Those fears are likely to be fueled by news emerging from Iran that computers in the country have been targeted by Duqu.
