On October 18th, 2011, Kim Zetter reported for Wired on how a new piece of malware using some of the same techniques as Stuxnet has been found infecting systems in Europe. Liam Murchu, a cybersecurity expert for Symantec, said that the new malware, named “Duqu” [dü-kyü], appears to have been written by the same authors as Stuxnet or written by someone with direct access to Stuxnet's source code. Duqu, like Stuxnet, masks itself as legitimate code by using a valid digital certificate. Duqu then maps out unknown industrial control systems, gathering intelligence for a later targeted attack. However, Duqu differs from Stuxnet in that Duqu is not a worm, does not self-replicate in order to spread, and does not contain a destructive payload to damage hardware.
Duqu appears to have been operative for at least a year. Murchu went on to say that “The real surprising thing for us is that these guys are still operating. We thought these guys would be gone after all the publicity around Stuxnet. That’s clearly not the case. They’ve clearly been operating over the last year. It’s quite likely that the information they are gathering is going to be used for a new attack. We were just utterly shocked when we found this.” Symantec has declined to name the countries where the malware was found, but did say that the malware was found in the manufacturing and critical infrastructure sectors.
The source article can be found here.
Leave a Reply