Two workers at a web-hosting company called Web Werks told Reuters that officials from India's Department of Information Technology last week took several hard drives and other components from a server that security firm Symantec Corp told them was communicating with computers infected with Duqu.
The equipment seized from Web Werks, a privately held company in Mumbai with about 200 employees, might hold valuable data to help investigators determine who built Duqu and how it can be used. But putting the pieces together is a long and difficult process, experts said. "This one is challenging," said Marty Edwards, director of the US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team. "It's a very complex piece of software."
The Duqu trojan is composed of several malicious files that work together for a malicious purpose.
Security firms including Dell Inc's SecureWorks, Intel Corp's McAfee, Kaspersky Lab and Symantec say they found Duqu victims in Europe, Iran, Sudan and the United States. They declined to provide their identities.
Duqu so named because it creates files with "DQ" in the prefix -- was designed to steal secrets from the computers it infects, researchers said, such as design documents from makers of highly sophisticated valves, motors, pipes and switches.
Duqu and Stuxnet both use a kernel driver to decrypt and load encrypted DLL (Dynamic Load Library) files. The kernel drivers serve as an "injection" engine to load these DLLs into a specific process. This technique is not unique to either Duqu or Stuxnet and has been observed in other unrelated threats.
"We are a little bit behind in the game," said Don Jackson, a director of the Dell SecureWorks Counter Threat Unit. "Knowing what these guys are doing, they are probably a step ahead."