Just what is Duqu and what does it tell us about Stuxnet?

David Heath
Monday, 24 October 2011 20:21

Business IT - Security

Some call it either the precursor or the illegitimate son of Stuxnet.  But is that fair, or is Duqu its own true self?

Yes, the researchers at Symantec have described Duqu (generally pronounced "dyoo-kyoo") as the precursor to the next Stuxnet-type attack, but they also observe that it contains a significant amount of code in common with Stuxnet.

The payload however is entirely different.

Duqu contains none of Stuxnet's Siemens control system code (which is widely regarded to have been targeted against Iran's uranium enrichment facilities) and yet it shares many other features.

As well as the code links noted above, Duqu (like Stuxnet) 'borrows' a digital certificate for self-signing; in this case although not named by Symantec, F-Secure outed the company as Taiwan's C-Media Electronics.  The certificate was revoked on October 14th, soon after Duqu was discovered.

Duqu seems to be more of a generals-purpose platform having been observed to receive add-ons from its Command and Control (C&C) server including an ability to scan and enumerate the local network in which it finds itself and also a more typical information stealer with the ability to grab all kinds of local machine data including both configuration and contents.

Where is the C&C server?