First came Stuxnet computer virus: now there's Duqu

WASHINGTON Tue Oct 18, 2011 7:21pm EDT

Related Topics

WASHINGTON (Reuters) - First there was the Stuxnet computer virus that wreaked havoc on Iran's nuclear program. Now comes "Duqu," which researchers on Tuesday said appears to be quite similar.

Security software firm Symantec said in a report it was alerted by a research lab with international connections on Friday to a malicious code that "appeared to be very similar to Stuxnet." It was named Duqu because it creates files with "DQ" in the prefix.

The U.S. Department of Homeland Security said it was aware of the reports and was taking action.

"DHS' Industrial Control Systems Cyber Emergency Response Team has issued a public alert and will continue working with the cyber security research community to gather and analyze data and disseminate further information to our critical infrastructure partners as it becomes available," a DHS official said.

Symantec said samples recovered from computer systems in Europe and a detailed report from the unnamed research lab confirmed the new threat was similar to Stuxnet.

"Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose," Symantec said. "Duqu is essentially the precursor to a future Stuxnet-like attack."

Stuxnet is a malicious software that targets widely used industrial control systems built by German firm Siemens. It is believed to have crippled centrifuges Iran uses to enrich uranium for what the United States and some European nations have charged is a covert nuclear weapons program.

Cyber experts say its sophistication indicates that Stuxnet was produced possibly by the United States or Israel.

The new Duqu computer virus is designed to gather data from industrial control system manufacturers to make it easier to launch an attack in the future by capturing information including keystrokes.

"The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility," Symantec said.

"Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT)," Symantec said. "The threat does not self-replicate."

Duqu shares "a great deal of code with Stuxnet" but instead of being designed to sabotage an industrial control system, the new virus is designed to gain remote access capabilities.

"The creators of Duqu had access to the source code of Stuxnet," Symantec said.

(Reporting by Tabassum Zakaria; Editing by Eric Walsh)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (1)
TechnoWriter wrote:
Duqu is the long predicted Son of Stuxnet, but be assured, this will not be the only scion of The Worm that Turned the World. Industrial security expert Ralph Langner and I have been anticipating for more than a year the appearance of Stuxnet-derived software. Duqu seems relatively tame with its reconnaissance mission, but the same techniques that crippled the centrifuges at Natanz can be used to take out power generators and water treatment plants and natural gas distribution systems. The attack scenario in the Lior Samson thriller, Web Games (Gesher Press, 2010), in which the U.S. power grid is threatened, is completely plausible. The intelligence community that unleashed Stuxnet has distributed blueprints and spare parts for a complete family of weapons. Next time, they might be directed at us.

–Larry Constantine (Lior Samson)

Oct 19, 2011 1:10pm EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.