Internet security company, Symantec, warns a computer virus similar to Stuxnet has been found by a group of European computer scientists.
Stuxnet was a highly sophisticated computer virus discovered July of 2010. It targeted industrial control systems to take control of industrial facilities, such as power plants. A majority of the attacks took place in Iran, Indonesia and India.
The motivations for creating such a program are unknown, probably some form of espionage. But Stuxnet required a huge amount of resources and technical knowledge. So some experts speculate it could have been made by a commercial company, or even a powerful government.
Now a new virus with the same source code, named Duqu, has been discovered. It's called Duqu because it creates files with the file name prefix DQ. Though parts of Duqu are almost identical to Stuxnet, it seems to have been created for a completely different purpose. That means the author of Stuxnet created the new virus, or shared Stuxnet's source code with someone else.
Experts say it is the precursor to another Stuxnet-like attack. Duqu was created to gather intelligence data. It records keystrokes and other system data, such as design documents, to aid future attacks.
Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets, Symantec said on its blog. However, it's possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.
The attacks use Duqu to install another infostealer that can record keystrokes and get system information. However, Duqu isn't a self-replication worm like Stuxnet. Duqu is a remote access Trojan virus. Since the virus doesn't self replicate, there are two ways it can infect its target. Hackers can either put the virus in themselves by finding a vulnerability in their targets security system. Or they can trick an employee of a company to open an infected file or visit an infected Web site.
Duqu hides itself by mimicking normal Internet traffic and sending JPEG images. However, with those images were bundled lightly-encrypted packets of stolen data. If the virus hasn't been detected in 36 days, Duqu will automatically remove itself from computers and may never be detected.
The attackers were searching for assets that could be used in a future attack, The report said. In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available in all cases. Two variants were recovered, and in reviewing our archive of submissions, the first recording of one of the binaries was on September 1, 2011.
So far Duqu has only affected a few organizations in Europe.