According to an alert report published by Symantec, the new treat designated ‘Duqu’ has parts nearly identical to Stuxnet, but with a completely different purpose. “Duqu is essentially the precursor to a future Stuxnet-like attack’ Symantec warns.” Symantec reports stated, adding “The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Symantec assesses this code could have been in action since december 2010.” The threat’s executable file was signed by a private key that was stolen from a customer that acquired it legally from Symantec, the company stated.

Unlike Stuxnet which was seemingly designed for specific attack mission (allegedly, the Iranian centrifuges), Duqu’s purpose is to gather specific intelligence data and assets from specific organizations, such as industrial control system manufacturers, information that will assist its designers in tailoring specific cyber weapons against future attacks.

As a silent spy, Duqu does not contain any ‘warhead’ – a code related to affect industrial control systems, as its primary mission as a Remote Access Trojan (RAT) is to access the system of interest, record and transmit information back to the control entity. Furthermore, this threat does not self-replicate in the targeted system. To carry out this mission Duqu installs an ‘infostealer’ that records keystrokes (keylogger) to gain other system information. Gathered information is encrypted and packed in a file that looks like an image, which has to be exfiltrated fro the compromised system via internet connection. Duko has a life span of 36 days, and, when expired, it automatically removes itself from the system.

Recommended Posts