Don't be misled about Duqu malware
A short time ago a new piece of malicious code dubbed Duqu was discovered across Europe. Upon initial investigation, the code was classified as a virus and seemed to be programmed to target critical infrastructure providers. Upon further investigation, similarities were discovered to the Stuxnet code that attacked Iran’s nuclear program in 2010 damaging Iran’s uranium enrichment processing and the centrifuges to create nuclear materials.
Researchers claimed that this new malicious program used much of the same code as the 2010 Stuxnet virus did. The biggest difference was that the code now being called Stuxnet 2 covertly penetrated sensitive systems and conducted cyber reconnaissance on control systems and created a back door that would allow for exploitation at a future time of the cyberattackers choosing.
Cyber intelligence sources I spoke with had a few issues with some of the claims being made about this cyberattack. For instance, the actual source code from the original Stuxnet has not been verified as such, and never openly released, and some portions are even encrypted. So how can they make the claim this was based on the original Stuxnet code?
Our source went on to say that it is more likely that the new strain was the result of reverse engineering based on the analysis of what the original Stuxnet actual did, even though that would still be an incomplete data set. So the linking between these two should be suspect at this point. Another source I checked with was quite upset that some have claimed that those behind the original Stuxnet (said to be Israel, Britain and the United States) were behind Stuxnet 2. Where is the hard evidence? As with all cyberattacks, attribution requires carful cyber forensics and analysis tied to hard cyber intelligence rather than the rush to judgment that all too often accompanies these incidents.
Posted by Kevin Coleman on Oct 27, 2011 at 9:27 PM