We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Duqu: New Malware Is Stuxnet 2.0

A new malware threat has been discovered which is built on the same code as the sophisticated Stuxnet worm.

Researchers have identified a new malware threat which has been dubbed "Duqu". The new threat is apparently developed by the same author who developed the Stuxnet worm that was used in targeted attacks against Iranian nuclear power plants, but Duqu has its sights set on a completely different target.

Independent researchers in Europe have shared the malware code with researchers at McAfee and Symantec, and all parties agree that Duqu is built on the same source code as Stuxnet. A blog post from Symantec explains, "Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered."

Although the core code may be the same, A McAfee Labs blog post says that Duqu does not have the PLC-compromising capabilities of its predecessor. Duqu installs drivers and encrypted DLLs on infected machines similar to the original Stuxnet, though, and McAfee claims that the code used for the injection attack, and several of the encryption keys and techniques used by Duqu are all close to those used by Stuxnet.

After analyzing the captured code, researchers believe that Duqu is specifically designed to target certificate authorities. Certificate authorities are trusted sources of digital certificates used to verify authenticity of servers and ensure that the systems you connect to on the Internet are what they claim to be. Attackers in possession of rogue certificates may be able to lure or redirect victims to rogue servers while appearing to be a legitimate server.

The trust on which the Web relies has already been shaken a couple times this year. First with the breach of RSA Security and compromise of the encryption keys used in the SecurID two-factor authentication tokens, and more recently with the hack of DigiNotar--a certificate authority.

The payload of Duqu is quite different from Stuxnet. Stuxnet was designed to sabotage industrial control systems, but Duqu provides remote command and control capabilities, and sophisticated keylogger tools. It seems to be intended to infiltrate and gather sensitive information--possibly for use in a future attack of another kind.

McAfee, Symantec, and others are aware of the threat and have developed signatures to detect and block Duqu. However variants may still slip through before new signatures can be created, and certificate authorities in particular should be on high alert for any malicious or suspicious activity.

IDG UK Sites

Black Friday 2014 tech deals UK Live: Best Black Friday deals from Apple, Amazon, Argos, eBay,...

IDG UK Sites

Black Friday feeding frenzy infects the UK

IDG UK Sites

VAT MOSS: Will I be affected by the EU VAT changes? Here are the facts for designers and artists

IDG UK Sites

Black Friday 2014 UK: Apple deals, Amazon deals & Black Friday tech offers