Symantec researchers have discovered a new worm in the wild that has the potential to attack and cripple industrial control systems, much like Stuxnet did.
The new worm, dubbed Duqu, shares a lot of the code with Stuxnet, leading Symantec researchers to believe it was either created by the same team or by another group with access to the Stuxnet source code, Symantec researchers said in a 46-page white paper released Oct. 18. Unlike Stuxnet, which was designed to attack a very specific type of computer system, Duqu does not appear to have a clear target.
Discovered a little over a year ago, Stuxnet is considered one of the most sophisticated pieces of malware ever developed. It compromised several industrial control systems at Iran's Natanz nuclear facility. Observers believe the malware set Iran's nuclear program back years. Although researchers around the world have analyzed Stuxnet, the source code is "not out there," according to Mikko Hypponen, chief research officer of F-Secure, noting that "only the original authors have it."
"Duqu is essentially the precursor to a future Stuxnet-like attack," Symantec Security Response researchers wrote on the Symantec Connect blog. The researchers did not speculate on its origins.
Duqu's primary purpose at the moment appears to be intelligence-gathering from industrial control system manufacturers, according to Symantec. Duqu does not interfere with the operations of the infected system, but focuses on reconnaissance.
Attackers were looking for information such as design documents for supervisory control and data acquisition (SCADA) systems used to control machinery and other key operations that could be used when attacking a power plant or industrial facility. They have been silently monitoring computers since December 2010, and Duqu's activities are most likely a precursor to a larger, more comprehensive attack.
Symantec researchers saw Duqu for the first time Oct. 14, when another firm that had been working with a victim in Europe sent the sample. Symantec researchers analyzed the sample and have since determined that industrial computers "around the globe" have already been infected. Symantec declined to name the initial victim or the security firm, or state the number of victims affected.
Duqu "is Stuxnet, retrofitted for general remote access," Bill Roth, CMO of LogLogic, told CIO Insight sister publication eWEEK, noting that "everything else" is the same. "Anyone surprised by the Duqu virus ought to have their head examined," he added.
McAfee researchers Guilherme Venere and Peter Szor are fairly confident that Duqu was created by the same developers responsible for Stuxnet. They based their conclusions on the fact that both viruses use similar encryption keys and techniques, injection code and fraudulent digital certificates, which had been issued to companies in Taiwan. The digital certificate keys appear to be real, which also make the programs look legitimate.