Researchers Find New Malware That Resembles Stuxnet Worm
Security researchers say they have discovered a new piece of malware that closely resembles the sophisticated computer worm that sabotaged Iran's nuclear program.
The new malicious code, nicknamed "Duqu," is similar to Stuxnet, a cyberweapon that damaged Iran's nuclear centrifuges by causing them to spin out of control.
But researchers say the new malware has a different purpose: Instead of causing damage, it is designed to spy on users by logging keystrokes and stealing files that lay the groundwork for a cyberattack against an industrial control system, according to researchers at the security firm Symantec.
The new malware, which was recovered from computer systems in Europe, "is essentially the precursor to a future Stuxnet-like attack," according to a blog post Tuesday by Symantec.
The malware was dubbed Duqu because it creates files with the prefix "~DQ." About half of the code found in Duqu was reused from Stuxnet, researchers said, and it was either written by the same authors of Stuxnet or those with access to Stuxnet's source code.
The authors of Duqu were able to trick computers into thinking the malware was legitimate software by stealing certificates used to authenticate it came from a trusted company. Like Stuxnet, Duqu stole its certificate from a company in Taiwan, leading researchers to believe the same authors were behind both attacks.
Duqu has only attacked a few organizations so far, dating back to December 2010. But researchers have found two variations of the malware, prompting them to think it may be conducting more cyberspying than they have identified thus far.
"It’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants," the Symantec blog says.
Researchers said they still have several unanswered questions, namely who was behind Duqu and why they were gathering information from industrial control systems, a term used to describe water treatment facilities, power plants and factories.
In 2009, Stuxnet began spreading to computer systems around the world and was specifically designed to damage Iran's nuclear program. United Nations officials have documented a sharp drop in the output of Iran's nuclear program in 2009 and 2010, confirming Stuxnet's impact, according to the Washington Post.
The author of the Stuxnet worm has never been officially identified, though some researchers have suggested that it was an effort by the United States and Israel to attack Iran's nuclear program.
Part of Stuxnet's source code became publicly available on the Internet after the nuclear program attack, causing officials with the Department of Homeland Security to warn Congress that the worm could be repurposed and used against U.S. critical infrastructure like the power grid.
Now, researchers say the discovery of the new malware could give them a chance to finally find out who was behind Stuxnet.
"We thought these guys would just disappear and never be heard from again," said Liam O Murchu, a researcher at Symantec. "So it's very surprising they have been active for the last year, writing code and attacking computers. They didn’t go away at all. But perhaps this gives us another chance to catch who's behind it."