The mysterious authors behind the most sophisticated cyber weapon on the planet appear to be planning another strike and have updated their advanced spy program designed to search out weaknesses in target systems, according to an American cyber security firm.
Researchers at Symantec, the firm which helped the U.S. government analyze the infamous Stuxnet computer worm that allegedly attacked an Iranian nuclear facility for months before its discovery in 2010, said they have been sent a new version of the Duqu worm for analysis. Discovered last fall, Duqu is an espionage program designed to gather intelligence on industrial control systems, perhaps for use in a future Stuxnet-like attack, according to several international cyber security firms including Symantec.
Based on the similarity in code, whoever wrote Duqu, researchers say, either also wrote Stuxnet or had access to the powerful worm’s source code, which was never made public. As of November of last year, the original Duqu worm was believed to have infected systems in countries from Vietnam to France, including Iran.
In a blog post earlier this week, Symantec researchers wrote that they were only sent one component of the new Duqu code, but it was enough to see that the new version, apparently updated just last month, featured new “partially successful” security-evading measures. They did not say who provided the code in the first place.
“Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active,” the blog post says.
The authors of both Stuxnet and Duqu have never been identified, but speculation has long swirled around the idea that Israel, perhaps with the aid of the U.S., was behind the attack on the Iranian nuclear facility. A 2010 Congressional report noted that both countries were on a short list of nations with the financial means, technical expertise and motivation to carry out the attack.
But new clues as to the authors continue to emerge. Just a day before Symantec’s post, another respected cyber security firm, Kaspersky Lab, reported it had solved the mystery of some curious code buried inside Duqu.
In a blog post on its own site, a Kaspersky researcher wrote that experts had long been confused about a certain section of code that was apparently written in a coding language no one could identify. But after putting the question to its readers, Kaspersky’s audience of computer experts was able to figure it out: the code was written in a customized version of “pure C,” a programming language long since discarded by most programmers in favor of newer versions.
That meant, Kaspersky said, that the authors were likely “old school” — meaning they’ve been expert coders likely beyond the last ten years when pure C was still the preferred language — and, by using a more basic code that can be widely read by diverse systems, they wanted to make sure the worm could infect just about everything it touched.