Today Symantec announced that they obtained a new type of Stuxnet virus. The new virus is called Duqu. This remote acces Trojan (RAT) does not contain any code related to industrail control systems. Symantec released the PDF file containing some unanswered questions. I have posted these questions here. Maybe we can get a view on this new virus.
Some additional resources:
Duqu is essentially the precursor to a future Stuxnet-like attack. Thethreat was written by the same authors, or those that have access to theStuxnet source code, and appears to have been created after the last Stuxnet file we recovered. Duqu’s purpose is to gather intelligence data andassets from entities such as industrial control system manufacturers inorder to more easily conduct a future attack against another third party.The attackers are looking for information such as design documents thatcould help them mount a future attack on an industrial control facility.Duqu does not contain any code related to industrial control systemsand is primarily a remote access Trojan (RAT). The threat does not selfreplicate. Our telemetry shows the threat has been highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.The attackers used Duqu to install another infostealer that can record keystrokes and collect other system information. The attackers were searching for information assets that could be used in a future attack. In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available on all cases. Two variants were recovered and, in reviewing our archive of submissions, the first recording of one of the binaries was on September 1, 2011. However, based on file-compilation times, attacks using these variants mayhave been conducted as early as December 2010.