FYI.

This story is over 5 years old.

Tech

Duqu, Stuxnet's Zombie Cousin, Is Coming For Our Data

Late last July, U.S. government cybersecurity officials "warned":http://www.reuters.com/article/2011/07/28/us-cybersecurity-stuxnet-idUSTRE76R5PH20110728 of the "Stuxnet virus":http://en.wikipedia.org/wiki/Stuxnet -- THE VIRUS DESIGNED TO PHYSICALLY...

Late last July, U.S. government cybersecurity officials warned of the Stuxnet virus — THE VIRUS DESIGNED TO PHYSICALLY DESTROY IRAN’S NUCLEAR FACILITIES – morphing into a new, more menacing threat to other industrial infrastructures. “Attackers could use the increasingly public information about the code to develop variants targeted at broader installations of programmable equipment in control systems,” they said in joint testimony to the House Energy and Commerce Committee.

Advertisement

If that concern sounded ironic – this digital Pandora’s Box was opened, say experts, by none other than the U.S. itself, possibly in cahoots with Israel – it’s hard to laugh now: the threat of an “evolved” Stuxnet is real, and its already spreading.

Symantec recently revealed (PDF) one such variant, a data-lifting Trojan detected on European computer systems that the security software firm is calling the “precursor to the next Stuxnet.”

Liam O Murchu, an authority on Stuxnet who has intensely analyzed the worm with two of his colleagues at Symantec, tells Wired the new malware, dubbed Duqu, “contains parts that are nearly identical to Stuxnet and appears to have been written by the same authors behind Stuxnet, or at least by someone who had direct access to the Stuxnet code.”

Duqu malware configuration, via Symantec

But unlike Stuxnet, which singled out the specific software beneath Iran’s nuclear program, this new malware installs a backdoor to gather information like design documents, which could then be used in future cyberattacks. Built more for reconnaissance and to gain remote access capabilities – not to drop crippling payloads – Duqu automatically disappears itself from infected systems after 36 days.

Duqu generates files with prefixes “~DQ” that the malware applies to the names of infected systems’ files. (The malware uses five files, according to O Murchu.) Like Stuxnet, it disguises itself as authentic code via a driver file marked with a legit digital certificate. Symantec claims the certificate traces to a company based out of Taipei, Taiwan, but isn’t naming names. (Helsinki-based F-Secure says its C-Media Electronics Inc., a hardware manufacturer specializing in USB storage and PC audio processors and various wireless audio gadgets.)

Wherever this goes and whatever it gathers, Duqu isn’t just a sign of the growing threat that viruses pose, but of the difficulty of controlling them once they’ve been unleashed. It’s like the proliferation problem that America’s atomic weapon builders once faced, and that we still face today. But the threat is a lot harder to notice, and a lot harder to stop. Hold onto your butts.

Reach this writer at brian@motherboard.tv.