Several new pieces of information about the Duqu infection, AKA “The Son of Stuxnet”, have been released recently.
We knew from the initial Symantec analysis that infections were discovered in six organizations in eight different countries. And that Symantec has been busy in tracking down servers used in Command & Control of the malware. First a server in Mumbai, India was identified, then earlier this month a server from Belgium’s largest web hosting providers was taken down.
But come on, what about Iran? We know that Stuxnet specifically targeted Iran’s nuclear ambition. Duqu must have been targeting Iran also. Symantec does mentioned Iran as one of the countries initially affected, but nothing further.
Finally on Sunday, Iran admitted that their nuclear sites have been hit and that they have just started removing it:
Iranian officials admitted Sunday that they had uncovered evidence of the Duqu computer virus — labeled “Son of Stuxnet” by cyber experts — at the Islamic Republic’s nuclear sites, state-controlled IRNA news agency reported.
“We are in the initial phase of fighting the Duqu virus,” Gholamreza Jalali, was quoted as saying. “The final report which says which organizations the virus has spread to and what its impacts are has not been completed yet.”
Also, it looks like Duqu may have taken some time to create. A very interesting (and somewhat humorous) report on Duqu from Kaspersky Lab Expert Aleks Gostev was posted last week. In the analysis, Alex shows that the creators of Duqu appear to be fans of the TV show Dexter, and could have spent over four years developing the virus:
“The driver loaded by the exploit into the kernel of the system had a compilation date of August 31, 2007. The analogous driver found in the dropper from CrySyS was dated February 21, 2008. If this information is correct, then the authors of Duqu must have been working on this project for over four years!”
As talks of physical strikes against Iran heat up again, one has to wonder what actual damage did Duqu do to Iran (It seems to be just an information gatherer), and is there a Stuxnet III out there?