Posted by: Robert Westervelt
Duqu, malware, Stuxnet
Computer equipment from a data center in Mumbai have been seized as part of an investigation into the Duqu Trojan, which shares code with the notorious Stuxnet worm.
Reuters has reported that computer investigators in India have seized the computer equipment that is believed to have hosted the command-and-control server connected to the Duqu Trojan.
Investigators from India’s Department of Information Technology traced the malware communications to a server at a web-hosting company called Web Werks, according to two workers at the firm. The investigators took several hard drives and other components from a server, Reuters said.
Symantec Corp. issued a report last month detailing how the Duqu Trojan is closely linked to the Stuxnet worm. The authors of the malware are believed to have had access to the Stuxnet source code. Unlike Stuxnet, which is intended to seek out Siemens supervisory control and data acquisition (SCADA) software and disrupt industrial processes, Duqu was designed to steal data. Duqu was discovered on the systems of industrial component manufacturers.
Once a system is infected with Duqu, additional malware is downloaded to record keystrokes and steal other details about the infected system. It can take screenshots, record network information and explore files on all drives, including removable drives.
Security researchers don’t know how the malware spreads. They are seeking the installer, which will yield clues as to how systems are initially infected. Currently, antivirus and antimalware engines can detect the Trojan.
The Dell SecureWorks Counter Threat Unit issued a Duqu report last week calling much of the early Duqu analysis “pure speculation.” Many of the techniques used by Duqu share similar characteristics as Stuxnet, but they have also been used in other unrelated malware, the CTU research team said. Still, Symantec said its binary analysis of the Duqu code concluded that the two pieces of malware shared the same code based.