Processing .....please wait.. 
The article has been forwarded.... 
Watchful of New Stuxnet Worm: Warns Researchers
By siliconindia
|
Friday, 21 October 2011, 00:40 IST
Bangalore: The evidences of the Stuxnet worm have been found by researchers, which distressed the government around the world, could be about to revive. Stuxnet, an extremely intricate piece of malware was formed to detect and disrupt Iran's nuclear program. The worm authors were never identified till date but the finger of suspicion falls on Israeli and U.S. government.
Duqu, the latest threat is regarded as "a precursor to a future Stuxnet like attack" according to those who discovered it. Symantec, a security firm, publicized its discovery, which rolled out as a threat by one of its customer. It creates files with the prefix DQ, so named Duqu. Symantec looked at samples of the threat gathered from computer systems located in Europe.
According to the primary analysis, the parts of Duqu are almost indistinguishable from that of Stuxnet and recommended that either it's written by the same author or by those, who had an access to the Stuxnet source code.
Symantec mentioned in its blog, "Unlike Stuxnet, Duqu does not contain any code related to industrial control systems and does not self-replicate. The threat was highly targeted towards a limited number of organisations for their specific assets."
Though Duqu is not intended to attack industrial systems, like Iran's nuclear production facilities, as it was the case with Stuxnet, it can gather intelligence for a future attack.According to Symantec, the code has been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems. Greg Day, Symantec's chief technology officer told the BBC that the code was extremely complicated. He added, "This isn't some hobbyist, it is using bleeding-edge techniques and that generally means it has been created by someone with a specific purpose in mind,"
At present it's not clear whether it's state-sponsored or politically motivated. Greg said, "If it is the Stuxnet author it could be that they have the same goal as before. But if code has been given to someone else they may have a different motive,"
Suggesting that it is designed to remain more hidden than its predecessor, the worm removes itself from infected computers after 36 days. The "jigsaw" components including a stolen Symantec digital certificate have been used as code."We provide digital certificates to validate identity and this certificate was stolen from a customer in Taiwan and reused," said Greg. The certificate in question has since been revoked by Symantec.
Stuxnet was in headlines last year when security experts alerted that the complicated bug could position the nation's vital infrastructure at risk. The computer threat, though, appeared to aim Iranian nuclear facilities and tainted tens of thousands IP addresses in the country. Parallel threat, known as the Stars virus, also came into sight in April.
McAfee Labs, which also established the Duqu data from international researchers, said the Duqu code "is delivered via exploitation, installs drivers, and encrypted DLLs that function very similar to the original Stuxnet code. In fact, the driver's code used for the injection attack is very similar to Stuxnet, as well as several encryption keys, and techniques that were used in Stuxnet."
Duqu is corresponding to a command server in India. "This IP address has since been blacklisted at the ISP, and no longer functions. Yet, it was specially crafted to execute sophisticated attacks against key targets and has remote control functionality to install new code on the target, such as keyloggers which can be used to further monitor all actions on systems including running processes, window messages, and so on," said Guilherme Venere and Peter Szor of McAfee's.
A report in September from Symantec pointed out that while 58 per cent of infections were in Iran, about 18 per cent was in Indonesia and nearly 10 per cent in India.
