Symantec, McCafee warn of precursor to next Stuxnet

US online security giant Symantec has warned of a new super-virus similar to the malicious Stuxnet worm believed to have preyed on Iran’s nuclear programme.

Symantec said the new virus, dubbed “Duqu” because it creates files with the DQ name prefix, is similar to Stuxnet but is designed to gather intelligence for future attacks on industrial control systems.

The company, along with Canadian security giant McCafee believes the threat is part of something much larger.

“Duqu is essentially the precursor to a future Stuxnet-like attack”, the security firm said on its website.

“The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered”, it added.

Unlike Stuxnet, Duqu does not contain any code related to industrial control systems. According to Symantec, it is primarily a “remote access Trojan” and does not self-replicate.

Symantec says, the threat “was highly targeted toward a limited number of organisations for their specific assets. However, it’s possible that other attacks are being conducted against other organisations in a similar manner with currently undetected variants”.

The company said that it had been alerted to the threat earlier this month by a “research lab with strong international connections”.

Stuxnet was designed to attack computer control systems made by German industrial giant Siemens and commonly used to manage water supplies, oil rigs, power plants and other critical infrastructure.

It was sophisticated, self replicating and had military implications. It was first discovered by an obscure information security company from Minsk, called VirusBlokAda, because an Iranian client’s computer would not stop rebooting.

Stuxnet represented the start of a new era in cyber-security threats. Although it spread prolifically through private networks, it remained hidden only coming into play when on a computer that runs the appropriate industrial based Siemens software, and following this, only when that computer was connected to a Programmable Logic Controller (PLC).

According to Symantec, the creators of DuQu intend using its remote access capability to “gather intelligence from a private entity to aid future attacks on a third-party”.

Intriguingly the threat is only configured to run on any given system for 36 days. “After 36 days, the threat will automatically remove itself from the system,” Symantec says.

After being alerted to the threat, meanwhile, Canadian security firm McAfee began work on tracing a timeline of Duqus spread and the areas it had reached.

“It seems to be primarily centered on the Middle East, then India, Africa and Eastern Europe,” McAfee senior research analyst Adam Wosotowsky said. “I haven’t seen any reports in North or South America.”

He added that ordinary users should not be concerned about getting an infection in their personal independent systems.

Wosotowsky added, however, that Duqu is evidence of nation-states taking their conflicts into the cyber-sphere.

Users, he said should be “concerned that we are going to see the militarisation of cyber space going forward… This is a new face of international conflict.”