October 19, 2011, 1:12 PM — Stuxnet, the virus some researchers called the smartest virus ever written, has apparently spawned a second generation designed to infiltrate specific organizations and steal specific types of data using sophisticated remote data access functions the original lacked.
Son of Stuxnet – named Duqu – is clearly a descendant, however, according to the Symantec researchers who published an analysis of it.
It shares "a great deal of code with Stuxnet," but the payload and apparent goals are far different, according to Symantec.
Rather than infiltrating and destroying industrial systems such as those in Iran's nuclear-fuel development sites, at which Stuxnet was aimed, Duqu is designed to create covert remote access to systems it attacks.
It appears to be designed as a scout that can gather intelligence on specific organizations, "looking for information such as design documents that could help them mount a future attack on an industrial control facility," according to Symantec.
Duqu is a remote-access Trojan (RAT) that doesn't replicate itself to other systems after successfully infiltrating one.
Instead it uses a custom-developed command-and-control protocol to communicate via HTTP and HTTPS with its control servers and to download other data-stealing apps it uses to collect information at which it is directed.
Once it has collected the data it wants, Duqu encrypts the stolen bits and creates fake JPG files and upload the stolen data under cover of the dummy image files.
It's designed to run for 36 days after installation, then automatically remove itself, according to Symantec.
Duqu first showed up Sept. 1 of this year, but may have been in the wild as early as December of 2010 – according to metadata within the malware identifying the time it was compiled.
Symantec found two variants of the main code, but warns in its report that others may be attacking other organizations without having been detected so far.
One of the two variants of W32.Duqu, as Symantec calls it, carries a valid digital certificate stolen from a company in Taipei, which was a Symantec customer. Symantec had the certificate cancelled Oct. 14.
The certificate was stolen, not generated separately, which would have indicated the code-signing process from Symantec or another company, according to an update from Symantec this morning.