This is big news. It confirms suspicions that the Stuxnet attack on Iran was not going to be a one-time thing. We now know that at least one group has already been running these types of attacks and surveillance all over the world for the past two years (with much more likely planned). In the coming years, this kind of thing is going to be the norm for nations and other organizations with the resources.

Joe Weiss spoke about exploits of this sort in the Stanford EE Computer Systems Colloquium on Oct 12, 2011. View the video of the talk and download the slides at http://ee380.stanford.edu.

Why does the article assume is made by the same people who wrote Stuxnet? Stuxnet source code from an IDA Pro dump is available in GitHub and in torrents.

Symantec's write-up has more details and comparison of Stuxnet and Duqu - http://www.symantec.com/content/en/us/enterprise/media/secur...

I've skimmed it. My point is that, if the source code of Stuxnet is available on the Internet, anyone could have created Duqu.

Try compiling it. You won't get far.

Current binary to C decompilers are not sufficient to reproduce and modify moderately complex software. They just make analysis easier, because it's more like reading pseudocode.

What I don't understand is, how does it send the information it gathers back to its operators? I thought that these industrial facilities weren't usually connected to the internet, and that a worm had to get lucky with a thumb drive to get inside.

How do you run that backwards to get data out? Surely not thumb drives again?

This malware does not target air-gapped industrial control systems. This is just a remote administration trojan with a keylogging component. The kernel mode driver architecture and hooking method is the same (probably same code) as used in Stuxnet but the malware's purpose is information gathering only, not industrial sabotage.

This doesn't contain the payload. That means its target is not the same as Stuxnet.

I would assume that master copy of the Duqu takes over a computer then installs a recon'ing version on the USB stick that travels to the targeted facilities.

Of course this assumes Duqu's purpose/target/method are the same as Stuxnet. It could also be true that the attackers already know the info about the facility. All this strain of the virus is looking for is someone who works there.

I dunno...the ambiguity (in the article) is so high that the number of plausible scenarios is up there too.

Ditto - I thought the point of the worm was that it wasn't trying to send information back - it was trying to achieve a specific, physical purpose (ie. to disrupt some component in the nuclear facility), and not necessarily send data back?

But they did point out that it was actually sending stuff back at the top of the article, so I'm equally confused!

It is also true that air-gapped systems do a lot more checking on the way in, then they do on the way out.

That's the reason for this separate recon version. It's finds the machine that is connected to the internet at the plant, along with what websites etc the user accesses. This allows them to target that machine/user with the payload which will get onto the USB stick and into the actual factory

This is probably the longest article I've ever read on the internet - fantastic introduction for me, a person who knows very little about trojans except that the Greeks made a big one years ago.