Duqu variant presages a new Stuxnet attack

Details of a new Stuxnet variant labelled Duqu have been released, with security experts warning that it may be a precursor to another attack on industrial control systems.

The original Stuxnet worm hit the headlines by apparently being designed to attack Iran's nuclear reactors by infiltrating the SCADA - Supervisory Control And Data Acquisition - systems responsible for monitoring and control.

According to a research paper published by security specialist Symantec, Stuxnet is back - and this time it's aiming further up the chain.

A new variant of Stuxnet, Duqu, has been analysed and found to be modified so as to collect keystrokes and system information from infected PCs - rather than directly attacking the SCADA infrastructure itself. Data captured can include usernames and passwords, the company noted.

"The executables have been found in a limited number of organisations," Symantec explains, "including those involved in the manufacturing of industrial control systems."

It's this, combined with its Stuxnet base, which differentiates Duqu from any other system-monitoring worm out there: the attack is targeted, and it aims at gathering intelligence from manufacturers of SCADA systems.

"The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries," Symantec claims. "The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party. While suspected, no similar precursor files have been recovered that predate the Stuxnet attacks."

Symantec has a good reason to be investigating Duqu as thoroughly as possible: some of the files were signed with private keys belonging to one of its customers, leading to fears that Symantec's certificate authority infrastructure had been breached in a similar way to that of Dutch CA DigiNotar.

"Our investigation into the key's usage leads us to the conclusion that the private key used for signing Duqu was stolen, and not fraudulently generated for the purpose of this malware," claims Symantec. "Our investigation shows zero evidence of any risk to our systems; we used the correct processes to authenticate and issue the certificate in question to a legitimate customer in Taiwan."

Symantec's findings, combined with those of other security companies across the world, suggest that the creator of Stuxnet is coming back for round two - and this time hoping to have some back-door passwords to help the attack on its way.

Symantec's full white paper can be downloaded as a PDF here.