Duqu - Next Major Cyber Weapon like Stuxnet
The Hacker News
The Stuxnet cyberworm could soon be modified to attack vital industrial facilities in the US and abroad, cybersecurity experts warned Wednesday at a Senate hearing.

Computer security companies agree that these virus is unprecedented and it means the dawn of a new world. Stuxnet and Duqu were not designed to steal money or send spam but to sabotage plants and cause damage in industrial environments. Expect the appearance of additional copies.

The Stuxnet virus that attacked Iran's nuclear program can cripple the country's nuclear facilities for two years, a German computer expert announced on Wednesday, December 15, 2010.

From what researchers can tell, Duqu's mission is to gather intelligence data and assets from entities like industrial control system manufacturers, to more easily conduct a future attack against another third party.

According to Symantec, the next threat, dubbed "DuQu" because the code has the code string ~DQ within it, is a surveillance-based Trojan horse, designed to relay information back to a command and control center. DuQu uses mock .jpg files along with other dummy files, all encrypted, to exfiltrate data. Unlike Stuxnet, which specifically damaged Siemens PCS 7 systems, DuQu appears to be only collecting information about the design of other industrial control systems. DuQu only has an active lifetime of about 36 days, but this is probably to limit its discovery.

The Symantec report states "the threat was written by the same authors, or those that have access to the Stuxnet source code, and appears to have been created after the last Stuxnet file we recovered." F-Secure's Mikko Hypponen tweeted "Duqu's kernel driver (JMINET7.SYS) is so similar to Stuxnet's driver (MRXCLS.SYS) that our back-end systems actually thought it's Stuxnet."

At this time DuQu does not propagate and has been released only within targeted industries, although Symantec admits it may also be elsewhere and not yet discovered. The original compile dates on some of the variants of DuQu so far analyzed suggest it may have existed as far back as November 3, 2010. Stuxnet compile dates were between June 2009 and March 2010 and therefore pre-date DuQu.
More from the Symantec Security Response blog:


Key points are:
• Executables developed after Stuxnet using the Stuxnet source code have been discovered.
• The executables are designed to capture information such as keystrokes and system information.
• Current analysis shows no code related to industrial control systems, exploits, or self-replication.
• The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
• The exfiltrated data may be used to enable a future Stuxnet-like attack.

Clues to DuQu's origin do exist. For example, it uses a digital certificate set to expire August 2, 2012, issued from a company in Taipei, Taiwan. F-Secure's Hypponen thinks the certificate was stolen from C-Media in Taiwan. Symantec says that certificate was revoked on October 14, 2011.

The best research into Duqu so far has been done by Symantec. They've been at it for a while, and have today published a 46-page whitepaper on it.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.