Stuxnet precursorA precursor to the next Stuxnet discovered

Published 19 October 2011

Symantec reports the discovery of a sample malware that appeared to be very similar to Stuxnet, the malware which wreaked havoc in Iran’s nuclear centrifuge farms last summer; the new malware — dubbed Duqu — is essentially the precursor to a future Stuxnet-like attack; the threat was written by the same authors (or those that have access to the Stuxnet source code); Duqu gathers intelligence data and assets from entities, such as industrial control system manufacturers, in order more easily to conduct a future attack against another third party

Symantec Connect, the company’s blog, reports that on 14 October 2011, a research lab with strong international connections alerted Symantec to a sample that appeared to be very similar to Stuxnet, the malware which wreaked havoc in Iran’s nuclear centrifuge farms last summer. The lab named the threat “Duqu” [dyü-kyü] because it creates files with the file name prefix “~DQ”. The research lab provided Symantec with samples recovered from computer systems located in Europe, as well as a detailed report with their initial findings, including analysis comparing the threat to Stuxnet.

The blog says that Symantec was able to confirm the comparison. “Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose,” it writes.

Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order more easily to conduct a future attack against another third party. The attackers are looking for information such as design documents that could help the attacker mount a future attack on an industrial control facility.

The blog notes that Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT).

Also, the threat does not self-replicate. “Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets,” the blog notes. “However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.”

The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information.

Key points:

  • Executables using the Stuxnet source code have been discovered. They appear to have been developed since the last Stuxnet file was recovered.
  • The executables are designed to capture information such as keystrokes and system information.
  • Current analysis shows no code related to industrial control systems, exploits, or self-replication.
  • The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
  • The exfiltrated data may be used to enable a future Stuxnet-like attack.

You can find additional details in this Symantec paper.