The makers of the Stuxnet worm, which spied on and attacked an Iranian nuclear site in June 2010, may have struck again, security researchers believe.
The U.S. Department of Homeland Security is taking the apparent threat seriously, also warning industrial control systems of a potential threat from the hacker group known as Anonymous.
The new threat is called Duqu because the files it creates have the prefix DQ. Symantec, the security software specialist which discovered the threat from a customer, believes Duqu is a precursor to a future Stuxnet-like attack.
Stuxnet infected thousands of computers in 155 countries last year, but the bug made headlines when experts claimed the worms were designed as an American-Israeli project meant to sabotage computers used to enrich uranium at the Natanz nuclear site in Iran.
Symantec researchers haven't determined how the Duqu code reached its target but senior security response manager Vikram Thakur called the worm extremely sophisticated and cutting edge.
Experts believed Stuxnet was configured to damage the motors used to power the centrifuges for uranium enrichment, causing them to spin out of control. Government officials in both Washington and Jerusalem have steadfastly declined comment since then.
The threat was highly targeted towards a limited number of organizations for their specific assets, Symantec, based in Mountain View, Calif., said in its blog.
Most users need not worry about the threat of another Stuxnet virus. Government or industrial computers, on the other hand, have a great cause for concern.
Analysis of Duqu reveals parts identical to Stuxnet, which suggest it was written by the same authors or those who had access to the Stuxnet source code.
Unlike Stuxnet, Duqu does not contain any code related to industrial control systems and does not self-replicate, Symantec added. In other words, Duqu is designed to gather information, not to attack industrial systems, as was the case with Stuxnet.
The code itself is highly sophisticated, although it's not known if the worm is motivated by politics or state movements.
If it is the Stuxnet author, it could be that they have the same goal as before, said Symantec CTO Greg Day. But if code has been given to someone else they may have a different motive.
Duqu uses a jigsaw of multiple components, including a stolen Symantec digital certificate, to infect its desired computer targets. Once infected, the worm removes itself after 36 days, which suggests it is designed to remain hidden more so than Stuxnet.
We provide digital certificates to validate identity and this certificate was stolen from a customer in Taiwan and reused, Day said.
The original Stuxnet worm, which targeted Siemens industrial software and equipment running Microsoft Windows, was the first time malware was discovered to spy and subvert industrial systems. Since the Stuxnet attack in June 2010, governments have been forced to beef up their security systems to protect against cyber attacks.
However, Stuxnet was not the only recent case of malware designed to disrupt governments. In May, U.S. defense contractor Lockheed Martin was a victim of a cyber attack, although none of its programs were compromised because it detected the attack almost immediately.