The worm that infected an Iranian nuclear site, Stuxnet, or something very much like it, may be getting ready to strike again, say researchers. A recently discovered malware dubbed Duqu (for the prefix of its files, ~DQ, is designed to steal information needed to mount another such attack, and provide remote access to industrial installations such as, well, nuclear plants.
Researchers at Symantec announced today the discovery of Duqu, stating that “Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.”
Duqu first came to their attention when they were alerted by another, international research lab that declined to be named, in order to protect the identity of one of the victim organizations.
According to the Symantec site, “On October 14, 2011, a research lab with strong international connections alerted us to a sample that appeared to be very similar to Stuxnet. They named the threat “Duqu” [dyü-kyü] because it creates files with the file name prefix ‘~DQ’.”
The Symantec researchers add that “Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.”
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
They also note that it is designed to run for 36 days, and then to remove itself from the target system. Why 36 nobody has yet posited.
Perhaps most disturbingly, unlike the original Stuxnet, Duqu is not designed to sabotage the industrial system it infects. Instead, it is designed to provide remote control access. Think about that when you consider Stuxnet’s last high-profile target: the Iranian nuclear plant.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Just a fun speculation, but:
The Stuxnet worm was widely rumored to be of either Israeli or joint American/Israeli origin. Now, in Hebrew, letters can also represent numbers. The two Hebrew letters that form the word “chai,” meaning life, also add numerically to 18. For this reason, the number 18 is considered by some Jews to be lucky. Gifts of money, or donations to charity, are often given in multiples of chai.
So, Stuxnet was lucky the first time; Duqu may be the second coming of Stuxnet, ergo double chai, which of course is 36.