Back in the fall of last year, we first began to learn about the Stuxnet worm, which targeted industrial control systems made by Siemens, and which was notable for its sophistication, compared to garden-variety malware. Because one of the targets of the Stuxnet attack was Iran’s uranium enrichment facility, there has been some speculation that the worm might have been created by a government, perhaps the US or Israel. There has also been concern that the techniques used in Stuxnet might find their way into other exploits, especially since versions of the Stuxnet code are available on the Internet.
According to an article at Wired, a new variety of malware, dubbed DuQu, has been discovered in Europe, and it contains many similarities to Stuxnet.
A little more than one year after the infrastructure-destroying Stuxnet worm was discovered on computer systems in Iran, a new piece of malware using some of the same techniques has been found infecting systems in Europe, according to researchers at security firm Symantec.
Technically, DuQu is not a worm, since it does not self-replicate; and, at least so far, it has not been found with any destructive components. It appears to be primarily an intelligence gathering and remote access tool; quite possibly it is intended as the precursor to a Stuxnet-style attack. It incorporates a keystroke logger, and can transmit encrypted information back to a control server, disguised as image (JPG) files.
The PC security firm, Symantec, has published a blog post describing their analysis of DuQu; they have also made their research report [PDF] available. The SANS Internet Storm Center also has a diary post on DuQu.