The malicious computer code that bears similarities to Stuxnet — the worm that sabotaged Iran’s nuclear program and prompted speculation about U.S. and Israel involvement — has now spread to eight countries, according to researchers, but there’s still widespread disagreement on whether it is, in fact, the “son of Stuxnet.”
Researchers at Symantec say the number of confirmed infections of the so-called Duqu malware is still limited to a handful of organizations, and there’s been no sign of another Stuxnet-like attack along the lines that the company has suggested is possible. Still, samples have now turned up in the Netherlands, Switzerland, Ukraine, India, Sudan, Vietnam and, of all places, Iran.
There are reported but unconfirmed infections elsewhere.
Researchers at Symantec also said they now know how Duqu has managed to attack its targets: The authors have used Microsoft Word files attached to e-mails, exploiting a previously unknown security flaw in Microsoft’s operating systems. (Microsoft has acknowledged the problem and said it’s working to fix it.)
Since its discovery last month, Duqu has been widely dubbed the “son of Stuxnet” because of its purported connection to the infamous worm identified in 2010.
Stuxnet, however, was a sophisticated cyberweapon that physically disrupted the machines that controlled the speed of centrifuges in a uranium enrichment plant in Iran.
Duqu, by contrast, captures information on the systems it infects. Symantec has said that it, nonetheless, appears to be a precursor to a Stuxnet-like attack, gathering information that could be used to guide the selection of future targets.
The malware appears to target companies involved in manufacturing parts that could be used in industrial control systems, bolstering theories that it is somehow connected to Stuxnet.
“In our mind, there’s absolutely no doubt that Duqu was created from the same source code as Stuxnet. That’s not to say they’re the same threat,” said Liam O Murchu, manager of operations for Symantec’s Security Response.
In the computer security community, that conclusion has drawn some skepticism. One prominent researcher has said that Duqu appeared to be nothing more than “typical computer network espionage,” and researchers at Dell have similarly played down the possibility of a connection to Stuxnet, saying that “supporting evidence is circumstantial at best and insufficient to confirm a direct relationship.”
Symantec, which previously conducted detailed research of Stuxnet, has held its ground.
O Murchu said that, when analyzing the underlying computer language in Stuxnet and Duqu, it’s impossible not to see the connections.
“Byte for byte,” he said, they are “exact copies in places.”