The "Duqu" variant of the Stuxnet Trojan worm has been discovered, and its potential for attacking critical infrastructure computers around the world is worrisome.
The original Stuxnet managed to infiltrate computer systems in Iran and do damage to that nation's nuclear research program.
“On October 14, 2011, a research lab with strong international connections alerted us to a sample that appeared to be very similar to Stuxnet. They named the threat "Duqu" [dyü-kyü] because it creates files with the file name prefix “~DQ”. The research lab provided us with samples recovered from computer systems located in Europe, as well as a detailed report with their initial findings, including analysis comparing the threat to Stuxnet, which we were able to confirm. Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose.
Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility… the threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.” – Symantec Official Blog
At this point, Duqu only creates a back door into infected systems, connecting them to a command computer somewhere in India. Duqu is primarily a remote access Trojan (RAT). The threat does not self-replicate. Duku is designed to leave the back door open for precisely 36 days, and then self-destruct.
Mikko Hypponen, F-Secure's Chief Research Officer said, “Duku is so similar to Stuxnet that F-Secure's antivirus program initially identified it as Stuxnet.”
Symantec’s analysis shows the Duqu may have been used to surveil computers around the world as far back as December 2010. One of the variant’s driver files was signed with a valid digital certificate that expires August 2, 2012. The digital certificate belongs to a company headquartered in Taipei, Taiwan but was not necessarily stolen from that company. It might have been generated by the Duqu programmers.
"We wanted to put out the word so people know about the threat, and know what to watch out for, such as traffic to unknown servers or what files to look for so they can try to block them," he said. "In the coming days, we will look into information from other sources we have and see if we can get more information on what these guys are actually going for. The key thing missing here, unlike Stuxnet, is we don't know what they are looking for." – Symantec Official Blog
Source:
http://redtape.msnbc.msn.com/_news/2011/10/18/8384786-son-of-stuxnet-virus-could-be-used-to-attack-critical-computers-worldwide