» Thu Dec 08, 2011 2:36 am The new worm, dubbed Duqu, shares a lot of the code with Stuxnet, leading Symantec researchers to believe it was either created by the same team or by another group with access to the Stuxnet source code, Symantec researchers said in a 46-page white paper released Oct. 18. Unlike Stuxnet, which was designed to attack a very specific type of computer system, Duqu does not appear to have a clear target.
...
Duqu's primary purpose at the moment appears to be intelligence-gathering from industrial control system manufacturers, according to Symantec. Duqu does not interfere with the operations of the infected system, but focuses on reconnaissance.
Attackers were looking for information such as design documents for supervisory control and data acquisition (SCADA) systems used to control machinery and other key operations that could be used when attacking a power plant or industrial facility. They have been silently monitoring computers since December 2010, and Duqu's activities are most likely a precursor to a larger, more comprehensive attack.
"The key thing missing here, unlike Stuxnet, is we don't know what they are looking for," Symantec said.
At the moment, Duqu only creates a backdoor on infected systems and connects with a command-and-control server somewhere in India, according to Symantec. The backdoor is open precisely for 36 days, after which the malware self-destructs.
According to McAfee's anolysis of the worm, the malware installs drivers and encrypted DLLs that can act as keyloggers on the system to monitor all processes and messages. It also has no mechanism to replicate itself.
...
Duqu's primary purpose at the moment appears to be intelligence-gathering from industrial control system manufacturers, according to Symantec. Duqu does not interfere with the operations of the infected system, but focuses on reconnaissance.
Attackers were looking for information such as design documents for supervisory control and data acquisition (SCADA) systems used to control machinery and other key operations that could be used when attacking a power plant or industrial facility. They have been silently monitoring computers since December 2010, and Duqu's activities are most likely a precursor to a larger, more comprehensive attack.
"The key thing missing here, unlike Stuxnet, is we don't know what they are looking for," Symantec said.
At the moment, Duqu only creates a backdoor on infected systems and connects with a command-and-control server somewhere in India, according to Symantec. The backdoor is open precisely for 36 days, after which the malware self-destructs.
According to McAfee's anolysis of the worm, the malware installs drivers and encrypted DLLs that can act as keyloggers on the system to monitor all processes and messages. It also has no mechanism to replicate itself.
http://www.eweek.com/c/a/Security/Researchers-Believe-Newly-Discovered-Duqu-Worm-is-Stuxnet-20-594465/
http://www.infoworld.com/t/cyber-crime/symantec-warns-about-duqu-new-stuxnet-style-threat-176514
So, Stuxnet was sabotage and Duku is espionage. I'm really curious how it infects computers. Unlike Stuxnet which had a whole slew of zero-day vulnerabilities, Duku seems to lack ANY method of infecting on its own, leaving only social engineering, though it is possible Symantec got lucky (in a way) and caught an early version before the full version came out and therefore lacks the attack methods of the final version.
