A news story has been around a few days regarding the variant of the STUXNET virus known as Duqu, which Symantec acquired from ‘a research lab with strong international connections’ before analysing the code and publishing a detailed report. The usual and predictable scare stories quickly surfaced about this being a possible precursor to another STUXNET-type attack, so I’ll put things into perspective here. The facts indicate it’s merely a well-coded Trojan designed specifically for acquiring data from infected systems, and it doesn’t really signal an increased risk to industrial control systems or critical infrastructure in itself, although it’s conceivable this is the reconnaissance stage for somthing else. As I’ve outlined last year, development of the original STUXNET involved a lot of time, resources, enough insider knowledge of Iran’s nuclear plants to know what PLCs were being used, how they were configured, and how they were being programmed. The malware was tailored for a very specific system, and even then it was more disruptive and certainly wasn’t ‘infrastructure-destroying’.
Duqu is relatively sophisticated, as far as malware goes, having a specific lifespan of just over a month, using a technique to store and execute itself in system memory, and dumping the information in (lightly) encrypted container files before forwarding them to a server. As Symantec hasn’t revealed what exactly was targetted or the IP address of the C&C server, all we know is a few organisations were compromised by someone using a relatively advanced Trojan, and there’s nothing really exceptional about that.