In a newly published report, Symantec warns of a new threat to industrial control systems they named "Duqu" (named because it creates files with the prefix "DQ".
Interestingly, the new malcode has so much in common with Stuxnet, that it is purported to have been written by the authors of Stuxnet or someone having access to the Stuxnet source code.
W32.Duqu's primary purpose is intelligence gathering by focusing on industrial control system manufacturers with likely intent on future attacks against targeted victims.
Symantec characterizes W32.Duqu as "primarily a remote access Trojan (RAT)" and the "original sample of W32.Duqu was gathered from a research organization based in Europe and that additional variants have been recovered from an additional organization in Europe."
W32.Duqu's whose method of infectious propagation is unknown at this time is not self-replicating.
The malcode is designed to run for 36 days after which it will remove itself from the host system. W32.Duqu's Command and Control servers are reported to be hosted in India.
US DHS' Industrial Control System Security group issued ICS-ALERT-11-291-01-W32.DUQU: AN INFORMATION GATHERING MALWARE TARGETING INDUSTRIAL CONTROL SYSTEMS MANUFACTURERS on October 18, 2011.
Symantec's research found that W32.Duqu was used to install an "infostealer" designed to "record keystrokes and collect other system information". And in at least one case the attackers were not able to "successfully exfiltrate any sensitive data".
Based on "file-compilation times, attacks may have been conducted as early as December 2010."