New malware appears carrying Stuxnet code

Share this article:

A sibling of one of the most complex and potentially menacing computer worms ever created has impacted roughly five Europe-based manufacturers of industrial control systems, security researchers said Tuesday.

But this malware, dubbed Duqu, is not Stuxnet Part Two, at least not yet.

"It's not doing any type of cyber sabotage like Stuxnet did," Kevin Haley, director of Symantec Security Technology and Response, told SCMagazineUS.com on Tuesday. "It's really at the reconnaissance phase."

According to security firms that examined the code, initially discovered by an unnamed research group that shared the information with the vendors, the threat uses the Stuxnet code, proving the authors of the first-ever malware specifically created to invade industrial control systems, are back at it.

Haley said Symantec researchers examined two variants of Duqu. Once on a machine, the strains download a remote access tool, which allows the malware to take control of the computer and begin communication with a command-and-control hub. In the case of one of the variants studied, it installed an "Infostealer" trojan, designed to record keystrokes and map networks. Duqu is customized to delete itself after 36 days, Haley said.

The exploit code, according to McAfee researchers Guilherme Venere and Peter Szor, mimics Stuxnet in its encryption keys and drivers. Like Stuxnet, the threat uses a driver file signed with a legitimate digital certificate, in this case issued by Taiwan-based C-Media Electronics, according to F-Secure.

"What this means is whoever wrote Stuxnet is back at it again," Haley said. "They're at the phase where they're gathering information. What they're going to do with that information, potentially, is to create the new Stuxnet."

Researchers are still unclear how the malware initially infects a target machine, and how it propagates.

"What it's accomplishing is not sophisticated," Haley said. "It's pretty straightforward. [But] the underlying code itself, some of that code is from Stuxnet, and the Stuxnet code itself is very complex and sophisticated...It's very typical for malware authors to reuse code. This is no different. They felt pretty comfortable the people they were targeting, whatever security they were using, would not discover the code."

Although the origin of Stuxnet, meant to sabotage Iran's nuclear power program by targeting Siemens software, has never been determined, it is widely believed to have originated in the United States or Israel.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.