Security researchers on Tuesday issued a warning about a virus, dubbed Duqu, that's similar in nature to the Stuxnet worm that targeted Iranian critical infrastructure last year.
International researchers alerted Symantec about Duqu last week and Symantec found that "parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose"—information gathering rather than system sabotage.
"Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers," Symantec said in a blog post. "The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility."
The firm said Duqu is a "precursor to a future Stuxnet-like attack" and was authored by the same people as Stuxnet, or at least by those who had access to Stuxnet source code.
At this point, however, Duqu does not appear to contain any code that singles out any particular industrial control system (ICS); it's "primarily a remote access Trojan (RAT)," Symantec said. It appears as though the perpetrators are targeting a limited number of organizations, but "it's possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants."
The fact that Duqu creators have the Stuxnet source code is troubling, according to F-Secure's Mikko Hypponen. "Stuxnet source code is not out there. Only the original authors have it. So, this new backdoor was created by the same party that created Stuxnet," he wrote in a separate blog post.
Stuxnet made headlines last year when security experts warned that the sophisticated bug could put the nation's critical infrastructure at risk. The Windows-specific computer threat, however, appeared to target Iranian nuclear facilities and infected tens of thousands IP addresses in the country. A similar threat, known as the Stars virus, also appeared in April.
McAfee Labs, which also received the Duqu data from international researchers, said the Duqu code "is delivered via exploitation, installs drivers, and encrypted DLLs that function very similar to the original Stuxnet code. In fact, the driver's code used for the injection attack, is very similar to Stuxnet, as well as several encryption keys, and techniques that were used in Stuxnet."
Duqu is communicating with a command server in India. "This IP address has since been blacklisted at the ISP, and no longer functions. Yet, it was specially crafted to execute sophisticated attacks against key targets and has remote control functionality to install new code on the target, such as keyloggers which can be used to further monitor all actions on systems including running processes, window messages, and so on," McAfee's Guilherme Venere and Peter Szor said.
McAfee called on certificate authorities to make sure their systems were not affected by Duqu.
For more, Symantec has published a 46-page white paper on Duqu.