'Stuxnet 2.0' called Duqu is data thief aimed at very specific targets

Descendant called Duqu designed for remote-access data theft, not ruining SCADA apps

Stuxnet, the virus some researchers called the smartest virus ever written, has apparently spawned a second generation designed to infiltrate specific organizations and steal specific types of data using sophisticated remote data access functions the original lacked.

Son of Stuxnet – named Duqu – is clearly a descendant, however, according to the Symantec researchers who published an analysis of it.

It shares "a great deal of code with Stuxnet," but the payload and apparent goals are far different, according to Symantec.

Rather than infiltrating and destroying industrial systems such as those in Iran's nuclear-fuel development sites, at which Stuxnet was aimed, Duqu is designed to create covert remote access to systems it attacks.

It appears to be designed as a scout that can gather intelligence on specific organizations, "looking for information such as design documents that could help them mount a future attack on an industrial control facility," according to Symantec.

Duqu is a remote-access Trojan (RAT) that doesn't replicate itself to other systems after successfully infiltrating one.

Instead it uses a custom-developed command-and-control protocol to communicate via HTTP and HTTPS with its control servers and to download other data-stealing apps it uses to collect information at which it is directed.

Once it has collected the data it wants, Duqu encrypts the stolen bits and creates fake JPG files and upload the stolen data under cover of the dummy image files.

It's designed to run for 36 days after installation, then automatically remove itself, according to Symantec.

Duqu first showed up Sept. 1 of this year, but may have been in the wild as early as December of 2010 – according to metadata within the malware identifying the time it was compiled.

Symantec found two variants of the main code, but warns in its report that others may be attacking other organizations without having been detected so far.

One of the two variants of W32.Duqu, as Symantec calls it, carries a valid digital certificate stolen from a company in Taipei, which was a Symantec customer. Symantec had the certificate cancelled Oct. 14.

The certificate was stolen, not generated separately, which would have indicated the code-signing process from Symantec or another company, according to an update from Symantec this morning.

Despite having been the first to do an in-depth analysis, Symantec didn't discover the virus itself, according to the NYT.

It was discovered by a "research lab with strong international connections" that refused to be identified in order to protect the identity of the client that was actually infected.

The only information revealed about the Duqu victims is that they are mostly involved in the development, manufacture or control of industrial machinery and were located mostly in Europe.

Symantec researchers couldn't tell if Duqu was written by the same authors as Stuxnet. If it wasn't the same group, it was another that had access to the source code, not just the active binaries retrieved from victims.

The authors are at least as sharp as those who created Stuxnet, according to Vikram Thakur, principle security response manager for Symantec.

Symantec couldn't determine how Duqu inserted itself in victimized systems, but did say it was just as sophisticated as Stuxnet.

"This is extremely sophisticated," Thakur told the Times. "This is cutting edge."

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies