November 07, 2011, 1:07 PM — The newly discovered Son-of-Stuxnet malware named Duqu may have been around longer than anyone thought, according to a blog post Friday on Kaspersky Labs' SecureList site.
According to Kaspersky blogger Ryan Naraine – who cites a tween from Iran's Computer Emergency Response Team (IrCERT) – Duqu is actually a variant of the STARS virus Iran claimed to have identified in 2010 but has never released for other researchers to examine.
If the report is true it means Duqu was designed – just as was Stuxnet – specifically as a way to spy on or sabotage the nuclear-weapons development program in Iran, according to Naraine, a former colleague who is a skilled reporter not known for getting his facts wrong.
The facts are slippery in this case, though.
The information came from Twitter user @msabz, a malware analyst in Virginia. He/she posted a notice reading "According to result of #IrCert investigations #Duqu is upgraded version of #Stars malware," but deleted the tweet almost immediately "for safety reasons."
Two weeks ago Roman security researcher Paolo Passeri posted a blog noting some odd astrophysical references common to Stuxnet and Duqu.
He wondered at the coincidence, as well as the claim in April that Iran had been attacked by a new virus with Stuxnet-like capabilities, which it named STARS, another astrophysical reference.
Now it appears some of the image files Stuxnet and Duqu use to encrypt and conceal the stolen data they're sending home are similar shots of deep space, some from the Hubble Telescope.
F-Secure is running a contest with some of the graphics, to find someone who can explain why Duqu hides data in a NASA pic of two galaxies colliding.