Oct. 18, 2011 at 4:03 PM ET
A powerful new computer virus that some are calling the "Son of Stuxnet" has been discovered, and researchers are concerned about its potential for attacking critical infrastructure computers around the world.
The mysterious Stuxnet worm -- perhaps the most powerful ever created -- managed to infiltrate computer systems in Iran and do damage to that nation's nuclear research program. The new worm, dubbed Duqu, has no such targeted purpose. But it shares so much code with the original Stuxnet that researchers at Symantec Corp. say it must either have been created by the same group that authored Stuxnet, or by a group that somehow managed to obtain Stuxnet's source code. Either way, Duqu's authors are brilliant, and mean business, said Symantec's Vikrum Thakur.
"There is a common trait among the (computers) being attacked," he said. "They involve industrial command and control systems."
Symantec speculates that Duqu is merely gathering intelligence as a precursor to a future industrial-strength attack on infrastructure computers.
“Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party,” Symantec said in an announcement. “The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.”
At the moment, Duqu only creates a back door into infected systems, connecting them to a command computer somewhere in India. No marching orders have yet been given, Thakur said. But those who control the machines could do virtually anything they wanted, Thakur said.
"The kinds of consequences we could see ... if the computer is told download this file, it will download the file. If the file says shut off this service, and that had an effect on a power plant or a conveyor belt, it would do that," he said.
Duku is so similar to Stuxnet that F-Secure's antivirus program initially identified it as Stuxnet, said F-Secure's Chief Research Officer Mikko Hypponen.
"Duqu's kernel driver is so similar to Stuxnet's driver that our back-end systems actually thought it was Stuxnet," he said in a Tweet.
The mysterious Duku is designed to leave the back door open for precisely 36 days, and then self-destruct.
Symantec was first alerted to the existence of Duqu on Friday, when an unnamed security firm that had already worked with a Europe-based victim shared his research with the firm. Symantec researchers worked through the weekend trying to understand the virus, which they have since learned has infected industrial computers "around the globe," Thakur said. He wouldn't identify the initial victim or say how many known victims there are.
Symantec’s analysis shows the Duqu may have been used to surveil computers around the world as far back as December 2010.
McAfee researchers Guilherme Venere and Peter Szor said in a blog post that they are pretty sure Duqu was written by Stuxnet's authors, in part because both programs utilize fraudulent "stolen" digital certificates which had been issued to companies in Taiwan. The use of what appear to be real digital certificate keys make both programs particularly deceptive. It also proves the programmers are clever enough to fool Certificate Authorities who issued the certificates.
"It is highly likely that this key, just like the previous two, known cases, was not really stolen from the actual companies, but instead directly generated in the name of such companies at a CA as part of a direct attack," the blog entry said.
Duqu’s attack pattern differs dramatically from Stuxnet, which was designed to attack a very specific computer system -- one that was involved in critical nuclear research inside Iran. The virus’ target led many to speculate that the virus was invented by Israeli programmers, or a cooperative effort of government-backed Israeli and American computer hackers.
This "Son of Stuxnet," with its much wider focus, might call into question the origin of the virus, but Thakur wouldn't speculate on that.
"It's my personal belief that the guys who wrote Stuxnet knew exactly what they were doing, and if you thought they were good guys then, you probably don't have anything more to worry about now," he said. "But if you didn't, you probably have a lot to worry about."
Symantec isn't finished analyzing Duqu; it has several other samples of the virus from other victims which it is analyzing now.
"We wanted to put out the word so people know about the threat, and know what to watch out for, such as traffic to unknown servers or what files to look for so they can try to block them," he said. "In the coming days, we will look into information from other sources we have and see if we can get more information on what these guys are actually going for. The key thing missing here, unlike Stuxnet, is we don't know what they are looking for."