This e-threat bears a striking resemblance to the already notorious Stuxnet worm that made the headlines in late 2010, after it had been used toÂ sabotage the Iranian nuclear program.
This time, however, the core component of the Duqu malware is a rootkit driver – a file that protects other malware against the defense mechanisms of the operating system or even of the antivirus itself. The code of the rootkit is extremely similar to the one we identified in Stuxnet more than a year ago, and judging by the first impression, one could imagine that the guys behind the Stuxnet incident are back with another tool to finish what they started in 2010.
However, a less known aspect is that the Stuxnet rootkit has been reverse-engineered and posted on the Internet. Itâ€™s true that the open-sourced code still needs some tweaking, but an experienced malware writer could use it as inspiration for their own projects. We believe that the team behind the Duqu incident are not related to the ones that released Stuxnet in 2010, for a number of reasons:
1. The purpose of this new threat is different. While Stuxnet has been used for military sabotage, Duqu is merely gathering information from compromised systems and should be regarded as nothing short of a sophisticated keylogger. Since criminal gangs rarely change their primary specialty, we are inclined to say that a gang focused on military sabotage would not move their focus to civilian enterprises.
2. Code re-use is a bad practice in the industry, especially when this code has been initally seen in legendary e-threats such as Stuxnet. By now, all antivirus vendors have developed strong heuristics and other detection routines against industry heavy-weights such as Stuxnet or Downadup. Any variant of a known e-threat would likely end up caught by generic routines, so the general approach is “hit once, then dispose of the code”.
Even though this might not be the creation of the team behind Stuxnet, we advise computer users to keep an open eye when surfing the web, as well as to install an antivirus solution.
UPDATE: We have released a 64-bit version of the tool that can be downloaded from here.