Big news today.
A new backdoor created by someone who had access to the source code of Stuxnet has been found.
Stuxnet source code is not out there. Only the original authors have it. So, this new backdoor was created by the same party that created Stuxnet. For a refresher on Stuxnet – arguably the most important malware in history – see our Q&A.
Unlike Stuxnet, the new backdoor, known as Duqu, does not target automation or PLC gear. Instead, it’s used for reconnaissance. Duqu collects various types of information from infected systems for a future attack. It’s possible we’ll eventually see a new attack targeting PLC systems, based on the information gathered by Duqu.
The code similarities between Duqu and Stuxnet are obvious. Duqu’s kernel driver (JMINET7.SYS) is actually so similar to Stuxnet’s driver (MRXCLS.SYS) that our back-end systems actually thought it’s Stuxnet:
Stuxnet drivers were signed with stolen certificate belonging to Taiwanese companies called RealTek and JMicron.
Duqu has a driver signed with a stolen certificate belonging to a Taiwanese company called C-Media Electronics Incorporation.
The driver still claims to be from JMicron, though.
The best research into Duqu so far has been done by Symantec. They’ve been at it for a while, and have today published a 46-page whitepaper on it.
Was Duqu written by US Government? Or by Israel? We don’t know.
Was the target Iran? We don’t know.
F-Secure Antivirus detects Duqu generically with one of our Gen:Trojan.Heur detections.
PS. By a co-incidence, a website called ISS Source has today published a confused article talking about a new “Stuxnet-like worm” created by Google, Microsoft and Oracle. We don’t believe this article is accurate.
Leave a reply