Reworked Version of Stuxnet Relative Duqu Found in Iran
A new variant of the mysterious Duqu worm has been spotted in Iran by researchers from the security firm Symantec, marking the re-emergence of the close cousin of the Stuxnet cyberweapon after five months of dormancy.
The finding indicates that the unknown creators of Stuxnet — suspected by many to be the intelligence services of the U.S., of Israel or of both — are still at work.
In a Symantec blog posting yesterday (March 20), the company identified a new component of the malware, a driver used to load Duqu onto computers when they restart. Analyzing the driver's code —"only one small part of the overall attack code" — Symantec's researchers found that the malware authors had reworked it to better evade detection by security products.
Duqu's builders also changed its encryption algorithm and rigged the malware loader to pose as a Microsoft driver. (The old driver was signed with a stolen Microsoft certificate.)
"Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active," Symantec wrote.
First discovered in September 2011, but bearing code indicating it was created in 2007, Duqu is closely related to the Stuxnet worm, which in the summer of 2010 infected and crippled Iran's Natanz nuclear-fuel processing facility.
Duqu's true intentions are unclear. Some security experts believe it is designed to steal data from critical industrial-control systems in Iran and Europe, similar to the energy facilities Stuxnet targeted; others believe it is meant to the steal authentication certificates that websites use to verify their identities.
Whatever its intent, countries including Iran, Sudan, India, Vietnam, Ukraine, Switzerland, France and the Netherlands have confirmed Duqu infections. Just days ago, researchers at another security firm, Kaspersky Lab, identified the mysterious programming language used to create part of Duquafter appealing to the larger security community for help.
The latest Duqu component, Symantec said, was complied Feb. 23, indicating it hasn't been in the wild for very long. The last unique version of Duqu that Symantec had previously spotted was compiled on Oct. 17, 2011.
Dennis Fisher from Kaspersky Lab, which has spent numerous hours studying Duqu, wrote in a blog posting March 20 that, based on the new Duqu variant, it appears that the worm is specifically tailored to each target.
"Rather than writing one piece of malware and spreading it to a large potential victim base, the crew behind Duqu had a small, specially selected group of targets, each of which got its own specifically crafted component and drivers," Fisher wrote.