Reworked version of Stuxnet relative Duqu worm found in Iran

Stuxnet Lives!

A new variant of the mysterious Duqu worm has been spotted in Iran by researchers from the security firm Symantec, marking the re-emergence of the close cousin of the Stuxnet cyberweapon after five months of dormancy.

The finding indicates that the unknown creators of Stuxnet suspected by many to be the intelligence services of the U.S., of Israel or of both are still at work.

In a Symantec blog posting Tuesday, the company identified a new component of the malware, a driver used to load Duqu onto computers when they restart. Analyzing the driver's code "only one small part of the overall attack code" Symantec's researchers found that the malware authors had reworked it to better evade detection by security products.

Duqu's builders also changed its encryption algorithm and rigged the malware loader to pose as a Microsoft driver. (The old driver was signed with a stolen Microsoft certificate.)

"Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active," Symantec wrote.

Someone has been a busy little bee...

Posted by: Newbie at 05:28 AM

Comments






Processing 0.0, elapsed 0.0026 seconds.
13 queries taking 0.0019 seconds, 7 records returned.
Page size 5 kb.
Powered by Minx 0.7 alpha.