Duqu Worm FAQs & Differences from Stuxnet

Initially reported October 14, and listed as "discovered" on October 18, the Duqu virus, a Trojan with rootkit abilities is targeting Europe, and can potentially be a huge problem because of its evolutionary origins. "Affectionately" called "Son of Stuxnet" because of its lineage, because the original Stuxnet was created solely to take down the Iranian Nuclear plant, Duqu makes everyone nervous. Here, we look at Duqu's origins, its similarities to Stuxnet, and at why it is such a problem.

What is Duqu?

The Duqu Virus is not a virus, but instead, Duqu, is a Remote Access Trojan (RAT), that has the abilities of a rootkit. Its name comes from the "~DQ" it appends to file names. Symantec quickly confirmed that Duqu is indeed a branch of Stuxnet when it analyzed research lab samples, and Symantec states that Duqu contains nearly identical code to Stuxnet, but that the identical code has a different purpose than the Stuxnet code.

Where did Duqu come from?

The Duqu source code is similar to the Stuxnet source code and it was designed after the Stuxnet code files were collected, meaning there is no public access to the files. For these reasons, Symantec is assuming that Duqu comes from the Stuxnet authors, as it is obvious that whoever wrote Duqu has direct knowledge of and/or access to the Stuxnet source code.

How is it different from Stuxnet?

Duqu is different from Stuxnet in that it is not a direct attack on computers - yet, it does not replicate, it does not install other viruses as typical Trojans do, and it does not sabotage any systems as Stuxnet did. Instead, it is a direct information gathering Trojan that has infiltrated only a specific and strictly targeted set of European businesses so far. Then, after 36 days, Duqu uninstalls itself automatically.

How does Duqu work?

Duqu creators install "infostealers" that monitor keystrokes and then record specific system information with the intent of delivering the information to the creators' servers so it could be used in possible future attacks on the affected businesses. It sends the information as JPG files so they appear as a normal data transfer, but each JPG contains sensitive system information.

How serious is the threat?

Symantec initially confirmed two variants of the Duqu source code, called binary, and on October 18 confirmed an undisclosed number of other variants. When comparing the initial samples to its archives, they realized that one was unknowingly discovered on September 1, and Symantec's archives contain unconfirmed attack possibilities going as far back as December 2010. The problem is that the original threat had a digital signature issued by Symantec to a legitimate customer. This signature has allowed Duqu to communicate with its controlling server. The certificate has since been revoked, and Symantec concludes that it was stolen from the customer's compromised computer.

What Now?

In an update, Symantec issued a warning to the entire industrial industry to prepare for an attack, and states that if the C&C (command and control) IP traffic is present, t is highly likely that one of the Duqu variants is present, even if the installed security program scans cleanly. According to the technical details concerning removal, Norton Power Eraser can remove it, in addition to the BitDefender Duqu removal tool. At the time of writing, they seem to be the only tools that can actively remove the infection. If they do not work, however, Symantec states a complete reinstall of the operating system may be necessary.

Eric Chien, "Updated: Targeting Information," Symantec Blog
"W32Duqu Technical Details" Symantec