A month or so ago, the first news reports began to surface about a new piece of malware called DuQu, At the time, there was some suspicion that it had been created by the same group that had created the Stuxnet worm, used to attack centrifuge systems in Iran, based on some similarities in the code. However, since the amount of information available was limited, this was far from certain.
Now, according to an article posted today at ThreatPost, the security news service from Kaspersky Labs, the gradual accumulation of additional evidence has reinforced the similarities, despite the feeling among researchers that they don’t have the whole DuQu story yet.
Researchers are fairly confident now that whoever wrote the Duqu malware also was involved in some way in developing the Stuxnet worm. They’re also confident that they have not yet identified all of the individual components of Duqu, meaning that there are potentially some other capabilities that haven’t been documented yet.
DuQu has been mentioned in the industry press fairly often, and I’ve talked about it here, but it is not particularly widespread. It has been introduced in a very deliberate, targeted way. Kaspersky Labs estimates there may be something on the order of fifty infections world-wide, a far cry from some of the “mass market” malware we have seen. DuQu attacks have been directed at specific targets; different attacks use different encryption schemes, and employ different malware components. All of this suggests that the people or organization responsible are skilled and well-organized, just as with Stuxnet.
Once again, we are reminded that the malware game has changed a lot since the early days of the Internet. The attackers are no longer socially- and hygienically- challenged adolescents, but organized crime operations, and perhaps governments.