StuxnetNew Stuxnet-like virus hits Europe

Published 24 October 2011

The dreaded Stuxnet worm, which was the first instance of a computer virus creating physical damage, may have spawned a dangerous new piece of malware; researchers at Symantec believe they have discovered a new computer virus that uses many of the same techniques in European computers

Duqu provides the parthways for Stuxnet to do its damage // Source: inquisitr.com

The dreaded Stuxnet worm, which was the first instance of a computer virus creating physical damage, may have spawned a dangerous new piece of malware.

Researchers at Symantec believe they have discovered a new computer virus that uses many of the same techniques in European computers.

According to Liam O Murchu, a Symantec researcher who has extensively analyzed Stuxnet, parts of the new code, which has been named “Duqu,” are nearly identical to Stuxnet and appears to have been written by the same authors behind it or programmers with direct access to Stuxnet’s source code.

Like Stuxnet, Duqu disguises itself as legitimate code to avoid detection. In addition the malware hides itself in a computer’s memory rather than on the hard drive to avoid being detected by anti-virus software, a sophisticated technique beyond other types of malware.

Duqu does not self-replicate to infect other computers and does not contain a destructive payload to damage hardware like Stuxnet, instead researchers believe it is a precursor to a Stuxnet-like attack, gathering intelligence on industrial control systems for a targeted attack later.

“When we talked about Stuxnet before, we expected there was another component of Stuxnet we didn’t see that was gathering information about how a plant was laid out,” O Murchu said. “But we had never seen a component like that [in Stuxnet]. This may be that component.”

Based on the dates some of the code was compiled, researchers believe Duqu may have been in place as early as December 2010, about five months after the discovery of Stuxnet.

“The real surprising thing for us is that these guys are still operating,” O Murchu said. “We thought these guys would be gone after all the publicity around Stuxnet. That’s clearly not the case. They’ve clearly been operating over the last year. It’s quite likely that the information they are gathering is going to be used for a new attack. We were just utterly shocked when we found this.”

Duqu is designed to operate for thirty-six days before automatically removing itself from an infected system.

So far the majority of Duqu infections have not been grouped in any geographical region, whereas Stuxnet was primarily found in Iran. O Murchu believes that a pattern could emerge if new infections are discovered.

As of now, researchers still do not know how Duqu has been infecting systems.

“There’s an installer component [to Duqu] we haven’t seen,” O Murchu said. “We don’t know if the installer is self-replicating. That’s a piece of the jigsaw that we’re missing right now.”

With Stuxnet, which is largely believed to have been created by the U.S. and Israeli military, computers were infected with a USB stick loaded with the virus that exploited a zero-day vulnerability that allowed it to spread across systems. 

Homeland Security, Criminal Justice, Law & Public Policy - Master of Science Legal Studies 100% online - CALU Global Online
view counter
TECHEXPO - Exclusive Security-Cleared Hiring Events - Register Now!
view counter