Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Pinpointing Duqu’s Origin and Intended Targets: The Debate Continues…

Last week, Duqu, the next-step toward the next-generation Stuxnet, was revealed by researchers, although its pedigree and the intended target remains the subject of much debate.

Last week, Duqu, the next-step toward the next-generation Stuxnet, was revealed by researchers, although its pedigree and the intended target remains the subject of much debate.

Information on Duqu TrojanStuxnet, if you’ve been in a cave for the last year, is a game-changing malware that first attacked Windows systems through a then-zero day DLL vulnerability, then once a system was infected, went on to infect a Programable Logic Controller found on Siemens PCS 7 systems. That was novel. PCL systems are specific and, in this case, used by nuclear power systems in Iran. The idea of targeted industries continues to send shock waves through the Industrial Control Systems community.

So Duqu, dubbed “son of Stuxnet”, is interesting. According to Symantec, Duqu uses parts of the Stuxnet source code. In order to do that, the authors would need access to the source code. Samples of Duqu suggest the trojan may have existed as far back as November 3, 2010, shortly after the Stuxnet outbreak. On first blush that would suggest that the author of Stuxnet was the author of Duqu, but that may not be the case.

Other researchers have noted that the code in Duqu is not exactly the original source code, but a close approximation of that in Stuxnet. F-Secure’s Mikko Hypponen tweeted “Duqu’s kernel driver (JMINET7.SYS) is so similar to Stuxnet’s driver (MRXCLS.SYS) that our back-end systems actually thought it’s Stuxnet.” If the authors of Duqu are not the original Stuxnet authors, then how did they get the code?


Watch the On Demand Webcast: “Duqu- Precursor to the Next Stuxnet,” Presented by Symantec


Writing on SCADAhacker, researcher John Langill makes a case that de-compilation tools, which decompile executable code, certainly do exist. Langill further suggests in his blog that the de-compiled Stuxnet code in question may have been leaked by the group known as Anonymous after the HB Gary Federal attack last February. No matter how it got there, Langill says it is now available on the Internet.

Meanwhile researchers at Kaspersky argue that while Duqu is similar, also it is very different from Stuxnet. And Dell SecureWorks further argues in a Wednesday blog that similarities in the Windows DLL used and the commonality of software signing certificates are “insufficient evidence to conclude the samples are related because compromised signing certificates can be obtained from a number of sources.” They further state that much of the code contains malware previously seen in the wild.

Setting aside questions of its pedigree, what might be Duqu’s intended target? Researchers at Symantec coyly suggested it is targeting different industries than Stuxnet, but didn’t name any. Researchers at Kaspersky say the attacks they have seen have been mostly aimed at Iran and Sudan. In response, on Wednesday, F-Secure’s Hypponen tweeted that US State Department’s list of countries sponsoring terrorism include Iran, Sudan, Syria and Cuba. The Kaspersky researchers did not comment on Duqu reported seen in UK, USA, Austria, and Indonesia. In its initial phase, Stuxnet affected several countries, but it was the high infection rate in Iran that proved it to be the ultimate target, so may be only time will tell with Duqu.

The most outlandish mystery (no pun intended), though, is the choice of the JPG image used to hide the transport of collected information. The picture is of two galaxies known as National General Catalog (NGC) 6745 colliding as taken by the Hubble Space Telescope. Several high-resolution images are available from the web. And F-Secure says Duqu is sending the information within the image to a server also known as, which has some connection to India.

Clues to Duqu’s true origin might exist elsewhere. For example, some of the Duqu variants use a digital certificate set to expire August 2, 2012, issued from a company in Taipei, Taiwan. McAfee says the certificate was stolen from C-Media in Taiwan. Symantec says that certificate was revoked on October 14, 2011. Other variants of Duqu use other certificates.

All of which may be Red Herrings.

Even with as many people looking at Duqu, with as many fingerprints, it may still not be possible to pinpoint who did what when. But we’ve been given ample warning that code like this will be more common in the future. And evidence that someone can replicate Stuxnet-like qualities. Hopefully we’ll adopt a security environment that keeps these new infections from being commonplace soon enough.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.