Stuxnet creators have used much of the same code for their new creation, known as Duqu, which has grabbed the attention of security researchers after an unnamed independent team detected it.
However, Duqu is not as sophisticated as Stuxnet and is not targeting the same SCADA systems used in power plants.
Instead, Duqu has been used to acquire information in the lead-up to another Stuxnet-esque attack in the future, researchers have suggested.
A small number of organisations have been hit, including some in the manufacturing of industrial control systems.
“The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility,” a blog post from Symantec read.
“Our telemetry shows the threat was highly targeted toward a limited number of organisations for their specific assets. However, it’s possible that other attacks are being conducted against other organisations in a similar manner with currently undetected variants.”
Attacks using Duqu could stretch back as far as December 2010. The malware has been used to download a separate information stealer onto systems. That info-stealer was able to pilfer data in a variety of ways, including keystroke logging, before sending it off to a command and control centre in India inside an encrypted file.
The malware was programmed to run for 36 days before removing itself from systems.
Security researchers across the board have been fairly certain Duqu was created by the same team behind Stuxnet, even though there is no direct proof.
“They had to have access to the original source code, which only the creators of Stuxnet have. There are various decompilations available online. Those would not do,” Mikko Hypponen, chief research officer at F-Secure, told IT Pro.
“It's perfectly possible they [the team behind Stuxnet] did a similar information-cathering phase in 2008 or 2009 for the original Stuxnet and we just missed it.”
Aside from the code similarities, Duqu's driver files are signed with certificates apparently stolen from a Taiwanese company, as were Stuxnet’s.
Certificates were stolen from RealTek and JMicron in the case of Stuxnet, whereas in Duqu only one was compromised - C-Media Electronics Incorporation.
In recent cases, certificate authorities have been compromised so hackers could issue fraudulent certificates, as was seen with the now-defunct CA DigiNotar. However, the certificate used to sign Duqu appears to have been stolen somehow, even though McAfee’s analysis suggested otherwise.
“Symantec has known that some of the malware files associated with the W32.Duqu threat were signed with private keys associated with a code signing certificate issued to a Symantec customer,” the security giant said today.
“Symantec revoked the customer certificate in question on 14 October 2011. Our investigation into the key’s usage leads us to the conclusion that the private key used for signing Duqu was stolen, and not fraudulently generated for the purpose of this malware.”
McAfee said Duqu was being used in areas occupied by “Canis Aureus,” the Golden Jackal. See below for a map outlining where these areas are: