(LiveHacking.Com) – Details are emerging about a new worm which seems to be based on Stuxnet, the worm that was allegedly used by either Israel or the USA to attack Iran’s nuclear research.
According to Symantec the new worm, which has been dubbed Duqu because it creates files with the prefix “~DQ”, has parts which are nearly identical to that of Stuxnet, but with a completely different purpose.
Duqu shares a large proportion of its code with Stuxnet but the payload carried by the worm is not intended to sabotage an industrial control system, instead it grants general remote access to a remote command-and-control (C&C) server. What this shows is that the writers of Duqu have access to the Stuxnet source code and not just its binaries.
Although the analysis of the worm shows no code related to industrial control systems, the executables have been found in organizations involved in the manufacturing of industrial control systems.
It is possible that this is a precursor to a future Stuxnet-like attack:
The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.
This does now question the almost universal belief that Stuxnet was either written by Israel or the USA as either of these two countries launching some kind of cyber attack on European companies is almost unthinkable due to the amount of political damage that would be done.