Virus researchers at Symantec Corp. have discovered a variant of the Stuxnet worm, dubbed Duqu, that is designed to steal information about industrial control systems. Symantec said the malware, which has turned up on more than one customers’ network, could be used to gather data for a future attack.
A report from Symantec’s Security Response organization said the worm, W32.Duqu, was first identified on October 14 and has already turned up on the networks of more than one firm in Europe. The company’s claim that Duqu was “Stuxnet 2.0” garnered immediate attention online. However, Duqu is hardly revolutionary in the way that Stuxnet was. Indeed, Symantec said that Duqu was most likely written by the same authors and “shares a great deal of code with Stuxnet.” Like Stuxnet, Duqu has a modular structure and uses similar infection mechanisms. Duqu also uses a valid certificate to sign one of its key drivers. The certificate belongs to C-Media Electronics, Inc., a Taiwanese audio chip maker.
While Duqu appears to have been derived from the Stuxnet worm, however, its purpose is different, Symantec said. Rather than destroying industrial control systems, Duqu appears to be an information stealing Trojan that collects keystrokes and other information that might be used in subsequent attacks, Symantec said.
F-Secure, the Finnish anti malware firm, said that its software already had a detection for the worm’s Trojan dropper (a key component that delivers the malicious payload – such as a keylogger – to the infected system. The malware was identified as “Gen:Trojan.Heur.FU.fuW@aGQd0Wpi,” according to a Twitter post sent out Tuesday by Mikko Hypponen, CSO of F-Secure.
Although the provenance of the Duqu worm isn’t known, Symantec said an analysis of the worm code dates the info stealing component to at least June of 2011, putting its first appearance well after the appearance of Stuxnet in late 2009 and early 2010.
The worm takes its name from a file prefix – DQ – that is used to name a key worm component. When run, Duqu injects itself into one of four, common Windows processes: Explorer.exe, IEExplore.exe, Firefox.exe or Pccntmon.exe. Once installed, the worm downloads and installs an information stealing component which harvests information from the infected system and stores it in an encrypted files on the infected system for export to the attackers system. Among the information harvested by Duqu are lists of running processes, account and domain information, lists of configured drives and shared, network drives, screenshots, local file and network information as well as user keystrokes and screenshots from active sessions.