A variant of Stuxnet has emerged, building on the already devastating malware that wreaked havoc on Iranian centrifuges.
The new malware, dubbed Duqu, or the “son of Stuxnet,” serves a similar purpose. While Stuxnet was designed to control and destroy centrifuges by infecting SCADA industrial control systems, Duqu is meant to gather intelligence and assets from targets—including industrial control systems—and find weak points for future attacks.
According to an analysis of Duqu by security company Symantec, “Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered.”
It adds, “The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility,” and the malware “does not contain any code related to industrial control systems and is primary a remote access Trojan (RAT).”
You can find more details on Duqu here, which paints a pretty clear picture of how the malware works.
Sophos notes in its Naked Security blog that while its components were not meant to hit SCADA systems, it targeted “related driver files that provide the malware the ability to download additional components.”
It adds the driver files were signed like Stuxnet was, and can be tracked to Taiwanese firm C-Media, adding “This may not be a coincidence, as Stuxnet used certificates that appeared to belong to RealTek and JMicron, two other embedded chip manufacturers in the same neighborhood … The mystery remains, however. Were these certificates stolen, or simply generated through compromised certificates to appear to belong to these organizations?”
* Image courtesy of Wersję rastrową wykonał użytkownik polskiego projektu wikipedii: Andrew313, Zwektoryzował: Krzysztof Zajączkowski [GFDL (www.gnu.org/copyleft/fdl.html), via Wikimedia Commons