Skip the navigation

FAQ: What's the big deal about Duqu?

It could pose a grave threat to the industrial control systems

November 15, 2011 06:05 AM ET

Computerworld - The recently discovered Duqu Trojan has received considerable attention from the security research community. Here's why. What is Duqu? It's a remote-access Trojan (RAT) that is designed to steal data from computers it infects. It was discovered by the Laboratory of Cryptography and Systems Security (CrySys) at Budapest University.

RATs are pretty common these days. Why is so much attention to Duqu? Duqu is believed to have been created by the same people who wrote Stuxnet, the worm that was used to disrupt operations at Iran's Natanz nuclear facility last year. A lot of security analysts believe that it is a precursor to the next Stuxnet and poses a grave threat to the industrial control systems that manage equipment at critical infrastructure facilities such as power plants and water treatment facilities.

What exactly is the link between Stuxnet and Duqu? Duqu and Stuxnet share a lot of common code and functions. While Stuxnet binaries have been floating around for some time, the actual source code itself has not been publicly available. The fact that Duqu contains Stuxnet code has led some to believe that Duqu's authors either have direct access to Stuxnet code -- or were the authors of Stuxnet. Duqu also uses an installation driver that is signed using a stolen or forged digital certificate belonging to a Taiwanese company called JMicron. Stuxnet used certificates belonging to the same company.

So, Duqu is targeted at industrial control systems then? Sort of, but not quite in the same manner as Stuxnet. Duqu appears designed to steal information from vendors of industrial control systems. It is an intelligence-gathering agent. Stuxnet on the other hand was designed to cause actual physical damage to industrial control systems. Security vendor Symantec and others believe that Duqu is being used to steal information that can eventually be used to craft another Stuxnet.

How serious a threat does Duqu really pose? That depends on whom you ask. Companies such as Symantec and Kaspersky have described Duqu as a highly sophisticated piece of malware likely created by a nation state for the specific purpose of going after industrial control systems. Those fears are likely to be fueled by news emerging from Iran that computers in the country have been targeted by Duqu.

But not everyone shares this opinion right? Correct. Some believe the fears are overstated. The U.S. ICS Computer Emergency Response Team initially issued a warning for critical infrastructure owners to be on the alert for Duqu. Later, however, it issued an update saying that neither industrial control systems (ICSs) nor vendors/manufacturers were targeted by Duqu (download PDF).



Our Commenting Policies