Did
you rest assured that Duqu might be finally done with
when I posted this article the other day? Well this might come as bad news to you.
It
appears that another new Duqu variant has been spotted in Iran by
researchers from the security firm Symantec, the people behind the
popularly known Anti-Virus suite Norton. This marks the reappearance of the virus after 5 months of dormancy.
The finding indicates that the unknown creators of Stuxnet -
suspected by many to be the intelligence services of the U.S., of Israel
or of both - are still at work.
In a Symantec blog posting
Tuesday, the company identified a new component of the malware, a driver
used to load Duqu onto computers when they restart. Analyzing the
driver's code -"only one small part of the overall attack code" -
Symantec's researchers found that the malware authors had reworked it to
better evade detection by security products.
Duqu's builders
also changed its encryption algorithm and rigged the malware loader to
pose as a Microsoft driver. (The old driver was signed with a stolen
Microsoft certificate.)
"Although we do not have all of the
information regarding this infection, the emergence of this new file
does show that the attackers are still active," Symantec wrote.
First
spotted in September 2011, with code that traces back to 2007, Duqu is
closely related to the Stuxnet worm, which in the summer of 2010
infected and crippled Iran's Natanz nuclear-fuel processing facility.
One
thing that is still unclear about the Duqu virus is its true intentions.
No one knows what exactly what it was created for, but there is many
guesses. Some think that it was created to is designed to steal data
from critical industrial-control systems in
Iran and Europe, similar to the energy facilities Stuxnet targeted.
Others believe it is meant to the steal authentication certificates that
websites use to verify their identities.
Whatever its intent, countries including Iran, Sudan, India, Vietnam,
Ukraine, Switzerland, France and the Netherlands have confirmed Duqu
infections.
The latest Duqu component, Symantec said, was complied Feb. 23,
indicating it hasn't been in the wild for very long. The last unique
version of Duqu that Symantec had previously spotted was compiled on
Oct. 17, 2011.
Dennis Fisher from Kaspersky Lab, which has spent
numerous hours studying Duqu, wrote in a blog posting March 20 that,
based on the new Duqu variant, it appears that the worm is specifically
tailored to each target.
"Rather than writing one piece of
malware and spreading it to a large potential victim base, the crew
behind Duqu had a small, specially selected group of targets, each of
which got its own specifically crafted component and drivers," Fisher
wrote.
So I guess this means that you have to watch yourself again. You
should always have a anti-virus running on your system anyway, but just
sayin'. If you want a great anti-virus, I advise you get
Microsoft Security Essentials. It is free, and is backed by Microsoft and its partners.