Duqu: Not the Son of Stuxnet, but the Vanguard of a New Generation?

Yesterday evening, we got hold of a new e-threat identified as Win32.Duqu.A that tripped a heuristic routine. A closer look at the file revealed that it's not your everyday piece of malware that we see in volumes here in the Bitdefender lab.

This e-threat bears a striking resemblance to the already notorious Stuxnet worm that made the headlines in late 2010, after it had been used to  sabotage the Iranian nuclear program.

This time, however, the core component of the Duqu malware is a rootkit driver – a file that protects other malware against the defense mechanisms of the operating system or even of the antivirus itself. The code of the rootkit is extremely similar to the one we identified in Stuxnet more than a year ago, and judging by the first impression, one could imagine that the guys behind the Stuxnet incident are back with another tool to finish what they started in 2010.

However, a less known aspect is that the Stuxnet rootkit has been reverse-engineered and posted on the Internet. It’s true that the open-sourced code still needs some tweaking, but an experienced malware writer could use it as inspiration for their own projects. We believe that the team behind the Duqu incident are not related to the ones that released Stuxnet in 2010, for a number of reasons:

1. The purpose of this new threat is different. While Stuxnet has been used for military sabotage, Duqu is merely gathering information from compromised systems and should be regarded as nothing short of a sophisticated keylogger. Since criminal gangs rarely change their primary specialty, we are inclined to say that a gang focused on military sabotage would not move their focus to civilian enterprises.

2. Code re-use is a bad practice in the industry, especially when this code has been initally seen in legendary e-threats such as Stuxnet. By now, all antivirus vendors have developed strong heuristics and other detection routines against industry heavy-weights such as Stuxnet or Downadup. Any variant of a known e-threat would likely end up caught by generic routines, so the general approach is “hit once, then dispose of the code”.

Even though this might not be the creation of the team behind Stuxnet, we advise computer users to keep an open eye when surfing the web, as well as to install an antivirus solution.

If you suspect any infection with the Duqu.A rootkit, download and run our dedicated removal tool that is freely available in the Removal Tools section of Malware City.

UPDATE: We have released a 64-bit version of the tool that can be downloaded from here.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.