Kaspersky on Duqu: same author, but wider industrial espionage agenda

According to the Moscow-headquartered IT security vendor, the striking parallels between the two malicious programs suggest they were either both written by the same group of people or that the Stuxnet source code – which has not been made publicly available – was used in its creation.

The bad news, however, is that there are significant differences between the two programs and, says Kaspersky, Duqu contains no functionality targeting industrial systems, as was the case with Stuxnet.

”As well as the main module, the Duqu files include an additional trojan-spy module capable of intercepting data entered via the keyboard, capturing screenshots, gathering information about the system etc”, says the report, adding that this all suggests industrial espionage is its primary aim.

Alexander Gostev, Kaspersky’s chief security expert, said that further investigation has managed to identify new Duqu victims, primarily in Iran, which once again echoes the parallels with Stuxnet.

“We also found new and previously unknown Duqu files. This confirms our suspicions that the people behind Duqu are continuing their activity, and their attacks, unlike the mass infections by Stuxnet, which target carefully selected victims”, he said.

“A unique set of files is used for every targeted attack. It is also possible that other modules are used, and not just a Trojan-Spy but modules with a range of other functions”, he added.

Duqu wasn’t the only malware seen during October, as Kaspersky says that the total number of malicious programs for Android outstripped that for Java 2 Micro Edition (J2ME) for the first time. This is despite malware for J2ME being the most prevalent among mobile threats for over two years.

“The fact that the growth in malware for Android has increased so dramatically indicates that for the time being the virus writers will most probably be concentrating on this operating system”, warned Denis Maslennikov, Kaspersky’s senior malware analyst.

The Apple Mac platform was also targeted during the month, with the arrival of Trojan-Downloader.OSX.Flashfake.d, a new version of the Flashfake trojan for Mac OS X that masquerades as an Adobe Flash Player installation file.

Like its predecessors, Kaspersky says that the trojan’s main function is to download files, although new functionality has been added that disables Mac’s built-in protection system Xprotect – a simple signature scanner that is updated on a daily basis.

What’s Hot on Infosecurity Magazine?