‘Son of Stuxnet’ trojan discovered

Symantec says it’s discovered a new trojan that appears to have been written by the same authors as Stuxnet, and which is also targeted at industrial control systems.

Dubbed W32.Duqu, it’s a Remote Access Trojan (RAT) that uses much of the same code as Stuxnet but has a different payload. It doesn’t self-replicate, but installs a key-logger which can capture system information, and deletes itself after 36 days.

“Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party,” says Symantec in a blog post.

“The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.”

The company says that Duqu has been used against several companies manufacturing industrial control systems. Attacks may have been going on for nearly a year.

Some of the malware files associated with the trojan were signed with private keys associated with a code signing certificate issued to a legitimate Symantec customer in Taiwan – and which Symantec’s now revoked. The company says the key was stolen, rather than fraudulently generated.

Stuxnet infected tens of thousands of computers last year. Ever since, rumors that it was designed as a US-Israeli project to damage Iran’s nuclear program have refused to go away.