The precursor to the next Stuxnet
Symantec claims to have found what they are calling the precursor to the next Stuxnet worm. The new trojan has been identified as W32.Duqu because of the DQ file name prefix. According to Symantec’s analysis Duqu is not designed to wreak havoc on industrial control systems (ICS), but it is intended to be used as a command and control trojan. Duqu communicates with a C&C server hosted in India, and was used to install data collection tools to several sites in Europe.
Duqu does not natively include any mechanism to self-replicate to other devices, and it must be propagated through other means. Symantec has not retrieved the installer that was used to deliver Duqu. After a successful installation, the trojan will run for 36 days and then remove itself from the compromised system. This is mostly likely an attempt to avoid detection.
Symantec is still continuing investigation into the new threat. As of press time, Symantec has recovered several variants of the attack. This will get a lot more attention as the Duqu’s focus shifts from data collection to more nefarious purposes.