Officials in India have seized components from a server as part of an investigation into the Duqu Trojan, according to a report.
According to Reuters, two workers at Web Werks, a web hosting company based in Mumbai, said the country’s Department of Information Technology took the equipment after security vendor Symantec reported the server was communicating with computers infected with Duqu. First publicized earlier this month, Duqu gained widespread attention due to its similarities with the infamous Stuxnet worm.
In their analysis of the malware, researchers at Symantec have contended that Duqu may have been developed to gather information to lay the groundwork for a Stuxnet-style attack on critical infrastructure. While it doesn’t contain code specifically targeting industrial control systems, Duqu does have elements in common with Stuxnet. For example, Dell SecureWorks’ Counter Threat Unit noted that the kernel drivers for Duqu and Stuxnet utilize many similar techniques in the name of stealth and encryption, such as a rootkit for concealing files. Those techniques however are not unique to either Stuxnet or Duqu, according to the Dell SecureWorks’ team.
Thus far, security vendors have observed Duqu infections in a number of countries, including Iran and Sudan. The purpose of the malware however remains unclear.
Marty Edwards, director of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, told Reuters his agency is working with its counterparts in other countries to uncover more information about the attack.
“This one is challenging,” Edwards said in an interview with Reuters. “It’s a very complex piece of software.”
For the full report, click here for the Reuters article.