Security experts uncover precursor to Stuxnet 2.0

Security researchers have warned that the authors of the infamous Stuxnet worm appear to be fine-tuning their attack techniques, potentially leaving scores of industrial control systems at risk.

Researchers at Symantec have uncovered a new Trojan, nicknamed Duqu, which shares around half of its source code with Stuxnet.

That degree of re-use suggests the authors either worked on or had a very close relationship with the original Stuxnet authors, said Orla Cox, senior manager at Symantec Security Response.

Duqu was discovered on computer systems at an unnamed European organisation, but whereas the original Stuxnet worm was designed to wreak havoc on Iranian nuclear facilities, Duqu appears to have been akin to a reconnaissance mission.

It was designed to glean intelligence and data such as keystrokes from the infected systems, which was then transmitted to an external command and control system.

Duqu encrypted its payload data and sent it out in dummy JPEG files, in an effort to bypass network security.

“Unlike Stuxnet, Duqu appears to have been quite stealthy,” said Cox. “It was designed to fly under the radar.”

While Symantec has not confirmed the identity of the target, it has acknowledged that Duqu targeted makers of industrial control systems.

It appears that the intention was to garner data about the design of these systems to provide clues on how future attacks could be launched.

In its research paper, Symantec describes Duqu as “the precursor to the next Stuxnet”.

But do such Trojans pose any risk to businesses in general?

Supervisory Control and Data Acquisition (SCADA) systems are found in all manner of modern organisations, controlling things as varied as Iranian nuclear centrifuges and office block lifts.

There has been a growing awareness of the potential for hackers to attack these systems.

In May 2011, security researchers at NSS Labs warned they had uncovered a number of vulnerabilities in SCADA systems produced by engineering behemoth Siemens – the same type of systems that were targeted by Stuxnet.

It would be possible to initiate an “industrial-grade malware attack” against the most heavily-defended systems, without having direct access to the hardware, NSS claimed at the time.

The existence of Duqu confirms that some of the malware authors connected to the Stuxnet worm are still active – Duqu contains code that appears to have been written since the last files were recovered. But it is too early to tell whether others will be able to build on this work.

The people who wrote Duqu must have had access to the Stuxnet source code, because the degree of sharing is too great and the task of reverse-engineering an attack from the Stuxnet binaries too complex, said Cox.