Yesterday's startling news that a new variant on the Stuxnet worm, dubbed "Duqu," had been found raised a lot of questions — and threw into doubt some assumptions about the original Stuxnet.
Stuxnet was designed to disrupt operations at a specific Iranian nuclear-weapons facility, and the general consensus among security and intelligence experts is that it was hatched by the United States and Israel as a bloodless alternative to a military strike.
Stuxnet's source code has never been released, yet Duqu shares unmistakable similarities with Stuxnet, to the point where some anti-virus software flagged them as the same thing. To some experts, that's proof that the same people were behind both bugs.
"This new backdoor was created by the same party that created Stuxnet," security expert Mikko Hypponen of the Finnish anti-virus company F-Secure wrote in a blog posting yesterday (Oct. 18).
Asked whether that meant that if the U.S. and Israel were behind one, they'd be behind the other, Hypponen told SecurityNewsDaily, "It would, yes."
Not necessarily, countered Graham Cluley, a security expert with Sophos, an anti-virus software maker in Oxfordshire, England.
"To the best of my knowledge, there's been no firm evidence that the U.S. and Israel intelligence agencies WERE behind Stuxnet," Cluley said. "So you could rephrase your question, 'If Scooby Doo and Shaggy were behind Stuxnet, does that mean they are behind Duqu as well?'"
"I think we shouldn't jump to assumptions," Cluley added. "After all, whoever it was behind Stuxnet may have hired a third party to do the coding for them — and that third party could have re-used sections of the Stuxnet code for Duqu."
George Smith, a cybersecurity expert with the Washington research and public-policy firm GlobalSecurity.org, isn't sure that re-used code necessarily indicates the same authorship.
"The history of malware generation and proliferation tells us that once a certain piece is in circulation others build upon it," Smith said. "And its code eventually either gets distributed or becomes an open book."
Duqu, so dubbed because the letter pair "DQ" comes up often in the code, looks in some respects like an ordinary spyware program, albeit with parts grafted on from Stuxnet. Does that imply that the intelligence agencies of the U.S. and Israel are getting involved in cybercrime?
"Regardless of the authorship of Stuxnet and Duqu," Cluley said, "I would be very surprised if the USA and Israel weren't using malware to spy on others via the Internet ... as are just about every other country in the world."
In fact, Duqu's purpose isn't really clear. Symantec, which first publicized the bug's discovery (which it mysteriously attributes to "a research lab with international connections"), argued that it is laying the groundwork for another attack on SCADA systems.
McAfee, a rival top security firm, countered that Duqu is geared to steal digital certificates from certificate authorities so that one website can pass itself off as another.
F-Secure's Hypponen leans toward the military interpretation.
"My best guess is that the attackers are gathering information for the next attack," Hypponen said. "It's perfectly possible they did a similar information-gathering phase in 2008 or 2009 for the original Stuxnet and we just missed it."