Recent headlines sound like something from an old Japanese horror movie: "Son of Stuxnet." But truthfully, this new Trojan, called "Duqu," could be a lot more dangerous than Godzilla. Duqu has identical code to Stuxnet (which is why some are referring to it as "Stuxnet 2.0") and is capable of stealing intelligence data and assets to set up an attack.
Symantec was alerted of the discovery of the new Trojan and announced it on its blog:
Five Warning Signs Your Security Policy Is Lacking
Warning signs of a weak security policy from SunGard Availability Services
Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose.Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.
Duqu doesn't self-replicate, Symantec pointed out, and it appears to be a remote access Trojan. The big difference between Stuxnet and Duqu is what they are designed to do. Stuxnet was meant to mess up control systems; Duqu wants remote access. A McAfee blog post stated that Duqu's purpose may be target attacks against sites like certificate authorities and advises those sites to verify if their systems have been compromised.
Security folks have been warning of another Stuxnet or Stuxnet-like virus that could attack network infrastructure. Stuxnet had a purpose: to shut down an Iranian nuclear facility. What exactly is Duqu designed to do? Security experts know what it can do, but I wonder if there is a specific purpose behind Duqu?
At least it's encouraging that we are talking about this as a discovery before hearing of it doing any damage on a network.