K.S. Rajan (20 Oct 2011)
"Stuxnet"

 
 
Duqu", a modified version of Stuxnet, has been spotted in the wild!!!

"Mr Egan said that the program appeared to be in a “reconnaissance phase”, though it also has the ability to update itself with new instructions. He said it was logical that Stuxnet had gone through a similar phase as well before being turned into an aggressive actor. "

From today's FT, FYI,
David

October 19, 2011 1:21 am

Spying program infects industrial sites

By Joseph Menn in San Francisco
A stealthy computer spying program that uses some of the same language as last year’s Stuxnet worm has infected a handful of industrial sites, leading security researchers to suggest that new attacks by Stuxnet’s authors could be forthcoming.
Stuxnet was by far the most advanced piece of malicious software ever discovered and has been described as the first cyberweapon. It disabled some centrifuges in the Iranian nuclear programme after taking advantage of previously unknown flaws in Microsoft Windows to spread. It spread on its own, seeking out machines that had a certain configuration of Siemens software for controlling such devices and then sabotaged them with commands to abruptly speed up and slow down.
On Tuesday, researchers at security firm Symantec, which had done the deepest analysis of Stuxnet, said they had been sent samples of the new program and that whoever wrote it must have had access to the original source code in Stuxnet. Only portions of that code are believed to have circulated in the underground, said Symantec researcher Gerry Egan.
Mr Egan said in an interview that the new code, dubbed Duqu because the suffix .DQ appears repeatedly, had significant portions that were derived from Stuxnet as well as similar architecture and techniques, including the use of a stolen or faked digital certificate to install itself.
But instead of spreading or carrying a destructive payload, the program as discovered in a handful of locations mainly seeks out information about what machinery and software is installed where it resides.
Mr Egan said that the program appeared to be in a “reconnaissance phase”, though it also has the ability to update itself with new instructions. He said it was logical that Stuxnet had gone through a similar phase as well before being turned into an aggressive actor.
A number of international security experts have said the US and Israel, as sophisticated and vigorous opponents of Iran and its nuclear ambitions, were most likely responsible for Stuxnet. Neither government has confirmed playing a role.
If Duqu was written by the same team, it could presage more attacks.
“This threat is still very early on,” Mr Egan told the Financial Times.
He declined to say what industry was affected by the new software or what country it had appeared in.
Other security firms, including Intel’s McAfee and F-Secure, said they agreed with Symantec’s assessment, and some antivirus software has been updated to detect Duqu.
Copyright The Financial Times Limited 2011.