Duqu, Stuxnet and the World of Cyber Espionage
Page 1 of 1
In 2010, the Stuxnet malware gained global notoriety as a weapon of cyberwar against Iran. A new derivative of Stuxnet, dubbed "Duqu" is now making the rounds, though its purpose and target are not yet known.
In a keynote session at the SecTOR conference in Toronto this week, F-Secure security researcher Mikko Hypponen detailed his views on Duqu and the world of online espionage noting that it is very clear to him Duqu is not only based on Stuxnet, but was also written by the same people. According to Hypponen, the Stuxnet source code is not floating around the Internet and, as such, for a new piece of malware to be so closely related, it has to come from the same group.
As far as he can tell, Duqu collects information about network topology to help prepare for a future attack of some sort. There was likely a similar information gathering phase prior to the release of Stuxnet, as well.
He also noted that Duqu code is roughly half the size of Stuxnet and the address that an infected Duqu device calls home to is 126.96.36.199, which is an IP address somewhere in India.
"So who wrote Stuxnet and Duqu? We don't know," Hypponen said. "I think that Stuxnet was coming from the U.S. government in cooperation with Israel, but I can't prove that."