Duqu may derive from STARS, the spy-virus Iran reported having been attacked by in April

The newly discovered Son-of-Stuxnet malware named Duqu may have been around longer than anyone thought, according to a blog post Friday on Kaspersky Labs' SecureList site.

According to Kaspersky blogger Ryan Naraine – who cites a tween from Iran's Computer Emergency Response Team (IrCERT) – Duqu is actually a variant of the STARS virus Iran claimed to have identified in 2010 but has never released for other researchers to examine.

If the report is true it means Duqu was designed – just as was Stuxnet – specifically as a way to spy on or sabotage the nuclear-weapons development program in Iran, according to Naraine, a former colleague who is a skilled reporter not known for getting his facts wrong.

The facts are slippery in this case, though.

The information came from Twitter user @msabz, a malware analyst in Virginia. He/she posted a notice reading "According to result of #IrCert investigations #Duqu is upgraded version of #Stars malware," but deleted the tweet almost immediately "for safety reasons."

Two weeks ago Roman security researcher Paolo Passeri posted a blog noting some odd astrophysical references common to Stuxnet and Duqu.

He wondered at the coincidence, as well as the claim in April that Iran had been attacked by a new virus with Stuxnet-like capabilities, which it named STARS, another astrophysical reference.

Now it appears some of the image files Stuxnet and Duqu use to encrypt and conceal the stolen data they're sending home are similar shots of deep space, some from the Hubble Telescope.

F-Secure is running a contest with some of the graphics, to find someone who can explain why Duqu hides data in a NASA pic of two galaxies colliding.

Iran's CERT never released any copies of STARS, and now some government officials are denying it ever existed. (Reference via a comment on Naraine's blog by "Sec," who registered on the site yesterday, listed his location as "Iran" and has made just one comment under that username.)

One bit of corroboration: Naraine writes that Kaspersky "can now confirm that some of the targets of Duqu were hit on April 21, using the same method involving CVE-2011-3402, a kernel level exploit in win32k.sys via embedded True Type Font (TTF) file."

Possibly faulty logic chain:

  • If Stars is Duqu;
  • if Duqu is version 2 of Stuxnet;
  • if Stuxnet was sent by the U.S. or Israeli governments to attack Iran's nuclear power program;


  • The smart-virus development cycle that produced both Stuxnet and Duqu is a lot shorter than was implied by the six to 12 months between Stuxnet's last big blast and the discovery of Duqu in the wild.

That's a lot of 'ifs' and a lot of uncertainties, which is yet another similarity between Duqu and Stuxnet (though high levels of uncertainty are also common to nearly every story or issue involving Iran, cyberespionage and anything nuclear).

Here's Ryan's FAQ on Duqu. Ryan does usually get his facts right. In this case it looks as if everyone with any real knowledge of Duqu's goals and origin is either keeping quiet or leaving potentially misleading clues to raise some level of doubt even about facts that have already been confirmed.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon