Security giants split over Stuxnet lookalike Duqu

Security vendors across the globe appear to be split over the newly discovered Duqu malware threat, disagreeing over its intended attack target and even the team behind it.

Symantec and McAfee both came to slightly different conclusions about Duqu, despite ostensibly obtaining a sample of the malware from the same anonymous source – a team of independent researchers.

As V3 reported on Wednesday, McAfee believes the "Stuxnet team" is behind this latest malware and that it is primarily targeted at certificate authorities (CAs) in parts of Europe, the Middle East, Africa and Southeast Asia.

"Only a few sites so far are known to have been attacked by the code, and it does not have Programmable Logic Controller (PLC) functionality like Stuxnet. Instead, the code, delivered via exploitation, installs drivers and encrypted DLLs that function very similarly to the original Stuxnet code," wrote McAfee researchers Guilherme Venere and Peter Szor.

"In fact, the new driver's code used for the injection attack is very similar to Stuxnet, as are several encryption keys and techniques that were used in Stuxnet."

While Symantec agreed that the code, keys and techniques had much in common with Stuxnet, it argued that the team behind Duqu created the malware as a "precursor to a future Stuxnet-like attack", rather than aiming it at CAs.

"Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party," noted a post from Symantec's Security Response team.