Symantec warns about Duqu, a new Stuxnet-style threat

Designed to steal information instead of sabotaging systems, Duqu bears striking similarities to cyber attack on Iran's nuclear program

Symantec today warned that a new Stuxnet-like attack dubbed Duqu may be on the horizon, based on file samples the security company received from an undisclosed research lab with "strong international connections." Parts of Duqu are nearly identical to Stuxnet, which infamously wreaked havoc on Iran's nuclear program, though its purpose is far different: It aims to steal information from industrial control systems instead of sabotaging them.

Stuxnet, which reared its malicious head last January, represented a cyber threat the likes of which the IT security community had never seen. By some accounts, it marked the start of the next security arms race, demonstrating that cyber warfare represents next big threat. Thus, Duqu warrants close scrutiny and preparation, particularly since it started infecting target organizations in Europe as early as December, 2010.

Symantec warns about Duqu, a new Stuxnet-style threat

Duqu was either written by the same authors of the Stuxnet source code or by someone with access to that code, according to Symantec. It appears to have been created since the last Stuxnet file was recovered. It derives its name from the prefix to the names of the files it creates, .DQ. The malware's purpose, according to Symantec, is to gather data and assets, such as design documents, from ICS (industrial control system) manufacturers. That information, in turn, could help attackers mount an offensive against an industrial control facility. It's plausible that the hackers behind Duqu are similarly using undetected variants to target other types of organizations, Symantec cautioned.

Duqu itself contains no code related to ICSes; it's primarily a non-self-replicating RAT (remote access Trojan). Using a custom protocol over HTTP and HTTPS, Duqu communicates with a command-and-control server to download executables, such as information-stealing malware capable of recording keystrokes and swiping other sensitive system information for mounting future attacks. The information is logged to a lightly encrypted and compressed local file, which then must be exfiltrated out, according to Symantec. Perhaps to hide its tracks, the command-and-control protocol uploads and downloads what appears to be JPG files as it sends and receives encrypted files for exfiltration.

Symantec researchers provide a deeper analysis of Duqu, along with comparisons between it and Stuxnet, ina free white paper titled "W32.Duqu: The precursor to the next Stuxnet" (PDF).

This story, "Symantec warns about Duqu, a new Stuxnet-style threat," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.


Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform