Duqu, Son of Stuxnet

by Andy on October 20th, 2011 in Security Alert.

An apparently modified version of the well-publicised Stuxnet worm has been discovered on a number of corporate computer systems in Europe. Analysis suggests that the malware, named Duqu (pronounced dyü-kyü), appears to be based on the Stuxnet source code, giving rise to the possibility  that Duqu may have been developed either by the Stuxnet authors or by developers who have had access to the source code.

Stuxnet, which was designed to target industrial control systems developed by Siemens, made headlines when it was discovered in in Iran. The type of control systems that were targeted generated speculation that US and Israeli intelligence services worked together in an attempt to target Iran's nuclear program.

Despite sharing similarities in terms of code, structure and other technical elements, Stuxnet and Duqu have different objectives. Rather than being used for potentially destructive purposes, Duqu is used as a backdoor to allow attackers to remotely access compromised systems as a means to siphon off sensitive information and gather intelligence, potentially for use in future attacks. 

When installed, Duqu disguises itself as a device driver that loads when the system boots whereupon further components are injected into running programs. Once established on the target system, Duqu communicates with a command and control server allowing further information harvesting programs to be installed. Harvested information is then recorded in encrypted logs for the attackers to smuggle out, back to to the command and control server. In a twist, Duqu will run on the infected system for 36 days before deleting itself, possibly in an effort to remain under the radar.

While Duqu is an example of a significantly more evolved threat, given the similarities between it and Stuxnet in that it is a low prevalence, highly targeted threat against specific organisations, it is unlikely that home users will find themselves victim to this malware. It's discovery is likely to be of  particular concern to corporations and other organisations who seek to protect against sensitive and valuable data leaks.