W32.Duqu - Harbinger of the Next Stuxnet?

Wednesday, October 19, 2011

Ron Baklarz

91648658a3e987ddb81913b06dbdc57a

 

In a newly published report, Symantec warns of a new threat to industrial control systems they named "Duqu" (named because it creates files with the prefix "DQ".

Interestingly, the new malcode has so much in common with Stuxnet, that it is purported to have been written by the authors of Stuxnet or someone having access to the Stuxnet source code.

W32.Duqu's primary purpose is intelligence gathering by focusing on industrial control system manufacturers with likely intent on future attacks against targeted victims.  

Symantec characterizes W32.Duqu as "primarily a remote access Trojan (RAT)" and the "original sample of W32.Duqu was gathered from a research organization based in Europe and that additional variants have been recovered from an additional organization in Europe."

W32.Duqu's whose method of infectious propagation is unknown at this time is not self-replicating.

The malcode is designed to run for 36 days after which it will remove itself from the host system.  W32.Duqu's Command and Control servers are reported to be hosted in India. 

US DHS' Industrial Control System Security group issued ICS-ALERT-11-291-01-W32.DUQU: AN INFORMATION GATHERING MALWARE TARGETING INDUSTRIAL CONTROL SYSTEMS MANUFACTURERS on October 18, 2011.

Symantec's research found that W32.Duqu was used to install an "infostealer" designed to "record keystrokes and collect other system information".  And in at least one case the attackers were not able to "successfully exfiltrate any sensitive data".

Based on "file-compilation times, attacks may have been conducted as early as December 2010."

 

Possibly Related Articles:
9851
Viruses & Malware
Information Security
malware Stuxnet Espionage backdoor Targeted Attacks Industrial Control Systems DUQU
Post Rating I Like this!
Default-avatar
grace reiz After the computer malware Stuxnet has been tough for many computer experts to determine. In 2010, it infected nuclear control systems in Iran. Industrial control computers in Europe have been infected with a brand new malware. This dubbed as Duqu virus uses Stuxnet DNA to mine industrial data. The said virus doesn't appear to have direct influence, but mines for information that could be used for further attacks. Thus far, at least three variants of Duqu have been identified in European industrial control companies. Researchers theorize that the virus is intended to download sensitive information that could be used to launch further, destructive effects and this is the more dangerous one that should be avoided and destroyed before it gain full force to launch more dangerous attacks all over the world.
1319265159
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.