Researchers from an international research laboratory have uncovered a Trojan which they have christened "Duqu" as it creates files with the file name prefix "~DQ". They provided Symantec with samples recovered from computer systems located in Europe, as well as a detailed report with the laboratory's initial findings, including analysis comparing the threat to Stuxnet.
According to Symantec, one of the main differences between Duqu and Stuxnet is their raison d'être. Stuxnet was a worm that was an agent of a sophisticated cyberattack against the nuclear operations of rogue state Iran. Duqu is described as a reconnaissance tool and it is considered a Trojan which collects sensitive information and communicates surreptitiously with a a command-and-control (C&C) server that at the time of writing of Symantec's security warning is still operational.
The information collected is lightly encrypted as a log file on the affected system. The file is not sent remotely as it has to be collected from the system. Duqu manages to operate unbeknownst to users as it communicates with its C&C server via HTTP and HTTPS. Its network traffic has also been innocuosly disguised as downloading or uploading of dummy JPG files. Such seemingly normal traffic in a typical network environment would be flagged as suspicious activities by firewalls or intrusion detection systems.
Duqu has been programmed to be operational for a total of 36 days, after which it will "will automatically remove itself from the system". Duqu shares a great deal of code with Stuxnet but the former's modus operandi is akin to a worm with general remote access capabilities. This is proof that the creators of Stuxnet are active and may be planning for a similar cyberattack in the likes of Stuxnet in the future.
"The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party. While suspected, no similar precursor files have been recovered that predate the Stuxnet attacks."
- Executables using the Stuxnet source code have been discovered. They appear to have been developed since the last Stuxnet file was recovered.
- The executables are designed to capture information such as keystrokes and system information.
- Current analysis shows no code related to industrial control systems, exploits, or self-replication.
- The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
- The exfiltrated data may be used to enable a future Stuxnet-like attack.
Source: Symantec Corporation