Symantec identifies Duqu malware evolved from Stuxnet in spy mode

Malware sharing the code of the Stuxnet worm has infected several industrial sites. The malware has been dubbed Duqu because of the frequent use of a .DQ file extension. In its present phase, Duqu seeks information about machinery and software.

Warwick Ashford Warwick Ashford

Warwick Ashford is chief reporter at Computer Weekly. He joined the CW team in June 2007 and is focused on IT security, business continuity, IT law and issues relating to regulation, compliance and governance. Before joining CW, he spent four years working in various roles including technology editor for ITWeb, an IT news publisher based in Johannesburg, South Africa. In addition to news and feature writing for ITWeb’s print publications, he was involved in liaising with sponsors of specialist news areas on the ITWeb site and developing new sponsorship opportunities. He came to IT journalism after three years as a course developer and technical writer for an IT training organisation and eight years working in radio news as a writer and presenter at the South African Broadcasting Corporation (SABC).

View all articles by Warwick Ashford >>

[email protected] 020 8652 8505 Active Warwick Ashford False True

Malware sharing some of the code of the Stuxnet worm has infected several industrial sites, according to researchers at Symantec.

At the time of its discovery last year, Stuxnet was described as the first cyber weapon, representing the most advanced piece of malicious software ever seen by researchers.

The malware has been dubbed Duqu because of the frequent use of a .DQ file extension. It appears to have evolved from the Stuxnet code, according to the Symantec researchers.

A large portion of Duqu's code is derived from Stuxnet and uses similar architecture and techniques. But instead of spreading or carrying a destructive payload, the malware seeks information about what machinery and software is installed on the system where it resides.

"We shouldn't jump to conclusions that it was developed by the same authors, but whoever created this malware had access to the original source code used to compile Stuxnet," says Chester Wisniewski, a senior security advisor at Sophos, Canada.

The components that were re-used were not those used to target SCADA/industrial control systems, but related driver files that provide the malware the ability to download additional components, Wisniewski wrote in a blog post.

Symantec reports that, after Duqu retrieves the additional malicious files, it is focuses on gathering information rather than industrial sabotage.

Sophos Labs has confirmed the driver files are signed, similar to the drivers used by Stuxnet. In this case the certificate purports to belong to C-Media, a Taiwanese firm known for their embedded audio chipsets.

One of the key characteristics of Stuxnet was that it used certificates that appeared to belong to RealTek and JMicron, two other embedded chip manufacturers.

Researchers are still uncertain whether Stuxnet's certificates were stolen or generated through compromised certificates to make it appear that the certificates belonged to those organisations. This was what happened with Google and others after Dutch certificate authority DigiNotar was breached.

As with Stuxnet, it is too early to determine anything definitive about the who, why or what this malware was designed to do, said Wisniewski.

"I can assure you that the security industry will be analysing these samples diligently to determine their intent," Wisniewski wrote.

Duqu appears to be in a "reconnaissance phase", although it also has the ability to update itself with new instructions, Symantec researcher Gerry Egan told the Financial Times.

He said it was logical that Stuxnet had gone through a similar phase as well, before being turned into an aggressive actor.

According to Egan, Duqu is still at a very early stage and if it was written by the same team that created Stuxnet, more attacks could be forthcoming.

Other security firms, including Intel's McAfee, Sophos and F-Secure, agree with Symantec's assessment and have updated their anti-virus software to detect Duqu.



Read more about Stuxnet and DigiNotar

MetaKeywords MetaDescription Sensitive Landingpage False

Read more on IT news in your industry sector