The Duqu Worm—As troublesome as Stuxnet?

Today, Symantec announced its latest discovery, Duqu. Quite ominously, it is being called the precursor to the next Stuxnet, an attack that is often considered the most complex of this decade. In fact, activity is still being linked to the Stuxnet team.

So what kind of havoc is Duqu wreaking? According to the Symantec report, essentially the Duqu worm (called that because it creates files with the file name prefix “~DQ”) is logging keystrokes and using encryption assets from Taiwanese certificate authorities to encrypt and extract payloads. So far, only a few sites are known to be attacked the Duqu code. Still, certificate authorities are being encouraged to check their systems and inventory to confirm that they have not been compromised.

What is alarming is just how similar Duqu is to Stuxnet. The infection model and just about everything else is the same—there is just no need for a nuclear centrifuge this time. Organizations that have a solid logging infrastructure on their network would clearly notice connections to unknown, foreign hosts. This would be a dead giveaway that you have been hacked. People who do not monitor their networks with a log management infrastructure are like the homeowner who buys fake surveillance cameras for their house…and still gets ripped off.