1. Symantec/
  2. Duqu: The Precursor to the Next Stuxnet

Duqu: The Precursor to the Next Stuxnet

Duqu:  The Precursor to the Next Stuxnet
The next chapter of Stuxnet began with Duqu, a new threat whose goal is to gather intelligence in order to conduct a future Stuxnet-like attack. In at least one targeted organization, Duqu utilized a Microsoft Word document as an installer file by exploiting a previously unknown kernel vulnerability that allows code execution.

Duqu Threat

On October 19, Symantec released its analysis of a new threat called Duqu, which seems to be the precursor to a future, Stuxnet-like attack. Parts of Duqu are nearly identical to Stuxnet, but its sole purpose is to gather intelligence which could be used to give attackers the insight they need to mount future attacks. Duqu is not widespread, but it is highly targeted, and its targets include suppliers to industrial facilities.
In at least one targeted organization, Symantec has confirmed that the installer file was a Microsoft Word document (.doc) that exploited a previously unknown kernel vulnerability that allows code execution. When the file was opened, malicious code executed and installed the main Duqu binaries. Microsoft is aware of the vulnerability, and is working towards issuing a patch and advisory.

Key Updates

November 1, 2011
  • An unpatched zero-day vulnerability is exploited through a Microsoft Word document and installs Duqu
  • Attackers can spread Duqu to computers in secure zones and control them through a peer-to-peer C&C protocol
  • At least six organizations in eight countries have confirmed infections
  • A new C&C server hosted in Belgium was discovered and has been shut down
Learn more about Duqu from Symantec Security Response Experts

Watch the Symantec Webcast

Duqu: The Precursor to the Next Stuxnet?

Recorded Thursday, October 20

Take a Look Back at Symantec's Role in Unraveling Stuxnet

"Unraveling Stuxnet" Source: Symantec
Click the image to view the entire timeline.

The Significance of Stuxnet

What makes Stuxnet particularly earth shattering is that it was designed to take a never-before-seen leap from the digital world into the physical world. Stuxnet is a computer worm designed to target industrial control systems used to monitor and run large-scale industrial facilities.

Much of the malware in play today is designed to steal information and pilfer banking accounts, both of which have indirect impacts on our real-world lives. However, Stuxnet went well beyond that. Its purpose was to reprogram industrial control systems—computer programs used to manage industrial environments such as power plants, oil refineries, and gas pipelines. Its final goal was to manipulate the physical equipment attached to specific industrial control systems so the equipment acted in a manner programmed by the attacker, contrary to its intended purpose. Such an outcome could have several underlying goals, but sabotage, destruction, and cyber warfare were the most obvious.

Stuxnet opened the door to the malware having deep political and social ramifications. There is much to be learned from the complexity of the Stuxnet threat. Indeed, Stuxnet has changed the way researchers approach malware and view the security threat landscape.

Security Response Blog Entries

Read what Symantec security researchers have written on Stuxnet worm since it appeared in July 2010.

Technical Information

  • You'll find technical details on this Duqu threat on our security response page.
  • Learn more
  • Symantec security customers are protected from this threat.

Symantec White Paper