Iran admits Duqu attack; denies report its nukes are for war, not power

Iran's chief cybersecurity official said yesterday Duqu infections were under control

The head of Iran's civic defense organization told a government-controlled news agency that digital security scans had found the Duqu virus infecting some systems in the country, but that the infection was under control.

Brigadier General Gholamreza Jalali said Sunday that all Iran's critical military and research sites were being scanned for further infections, but that the first contaminations were contained and on the way to being eliminated using antivirus software developed by Iranian cybersecurity teams.

"The software to control the (Duqu) virus has been developed and made available to organisations and corporations" in Iran, according to the official IRNA news agency.

"The elimination (process) was carried out and the organizations penetrated by the virus are under control ... The cyber defense unit works day and night to combat cyber attacks and spy (computer) virus," he added.

Duqu, discovered by the Laboratory of Cryptography and System Security (CrySyS) in Budapest in October appears to be the next-generation version of Stuxnet, the militarized virus discovered while attacking Iranian nuclear-fuel development facilities in 2010.

Duqu appears to be designed more as a pure espionage tool, however, rather than one intended to penetrate and sabotage industrial systems, according to analyses by Symantec, Kaspersky Labs and other security firms.

It is also a shape-shifter that is changed by its authors for each new site it attacks, and reconfigures itself on the fly by adding new modules, changing the processes it infects and the way it communicates with its command-and-control servers.

It also has a sense of humor, or at least residue of one from its authors, who included messages concealed as "Easter egg" surprises that refer to the HBO series Dexter, about a serial killer who hunts other serial killers, according to Kaspersky Labs analyst Alexander Gostev.

Iran's Jalali said Duqu is the third major virus attack to hit Iran, following the serious damage done by Stuxnet and negligible damage from a virus Iran calls STARS, which it claims to have detected but never released to security researchers. Researchers in the U.S. have theorized STARS is actually an earlier edition of Duqu.

Jalali did not say what facilities had been affected or how much damage Duqu had done.

The International Atomic Energy Agency (IAEA) issued a report last week, however, contradicting Iran's consistent arguments that its nuclear-development program is entirely peaceful.

Rather than being designed only to create nuclear-power facilities, there is "credible evidence" that Iran's nuclear programs have included efforts to develop "a nuclear explosive device.

Iranian officials called the report heavily politicized and slammed the head of IAEA as "unprofessional." Officials in countries considered allies of Iran – including Russia – issued statements saying the report favored Israel's view of Iran to the point of misinterpreting evidence on Iran's nuclear programs.

It said nothing else about its anti-Duqu tool, how it detects the virus or eliminates it, except to say the virus was "under control."

CrySyS Labs, however, has released an open-source toolkit designed to identify systems infected with Duqu.

The CrySyS Duqu Detector Toolkit includes four standalone forensic tools CrySyS developed, that use both signatures and heuristics to look for files changed in ways characteristic of Duqu.

Detection isn't perfect, however, according to the toolkit's release notes, so admins should check results themselves to avoid expensive repairs following a false positive.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies