Computerworld - As new information about Duqu continues to come out, some experts are starting to question whether the danger posed by the trojan has been exaggerated.
The questions stem mainly from the fact that so far, there has been very little information about Duqu's true purpose.
Symantec, which released a report on Duqu earlier this week, has said the Trojan was created to steal information from industrial control system (ICS) vendors.
The security vendor said its analysis found that the malware was likely created by the authors of the Stuxnet worm that disrupted operations at Iran's nuclear facility in Natanz last year.
Symantec said it believes Duqu is being used to steal ICS data that can be used to create another Stuxnet-like trojan to attack critical infrastructure targets.
Symantec has yet to disclose what it may know about Duqu's potential targets.
After first claiming it knew of a "handful of instances" where ICS systems in Europe were infected with Duqu, it now only says "at least one" case has been confirmed.
The data from Symantec is simply not enough to determine the seriousness of the threat posed by Duqu, said Richard Bejtlich, chief security officer at security vendor Mandiant.
"If there were no explicit linkages to Stuxnet this wouldn't be a story at all," he said. "Similar code that does similar activity would not leap off the pages."
While many security pros have called Duqu the 'Son of Stuxnet,' the only known linkage is the shared code, Bejtlich said.
"I think it is a little bit sensational," Bejtlich said. "To me the fact that someone may have copied or reused parts of Stuxnet code is interesting," but experts need more information to determine iDuqu's true capabilities.
Joseph Weiss, managing partner at Applied Control Systems LLC and author of the book Protecting Industrial Control Systems from Electronic Threat, said that any information gained by Duqu was likely already obtained using the Stuxnet trojan.
"They did all the data exfiltration with Stuxnet. Why would they do it again? It doesn't make sense," he said.
Also, because security experts are publicly on the lookout for Stuxnet-like threats, it's unlikely that attackers would use the same kind of code or methods, he said.
"I would be a lot more concerned if someone came with a different approach," he said. "It's like after 9/11 when everybody was looking for planes hitting buildings. Nobody was looking for a shoe bomber."
Dale Peterson, CEO of Digital Bond, a consulting firm specializing in control system security, said that the fact that Duqu may have been found in a system belonging to an ICS vendor is not significant by itself.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
