The recently identified “Duqu” worm has raised a whole new set of issues. Seemingly a variant of the Stuxnet malware that got so much of the world’s attention, everyone is trying to figure out what it “means.”
Stuxnet has been described as the first real “weaponized” malware. When taken as a whole, it was a highly sophisticated piece of work. There was a great deal of pre-mission intelligence work and reconnaissance that preceded its deployment. Then there was the tradecraft needed to get the worm onto an air-gapped network, also great work. My tech expert buddies have told me that the code of the malware was not terribly cutting edge, but its effect was particularly elegant. It only made the Iranian systems “inefficient” in their production of enriched uranium and did not destroy anything. It also made the monitoring SW read that all was well when it was not. All of this combined to allow the malware to stay on the system undiscovered much longer. Bottom line is that everyone agreed that the combination of intel work, tradecraft, and elegance of effect augured for this being a nation-state operation.
Now we have Duqu. Is this the next malware ICBM? Is it a deployed weapon, or is it only a test shot? Once Stuxnet was found in the wild, it became one of the most dissected bits of code in the world. Once you have a “template,” it is a lot easier to develop a variant. We have not figured out what Duqu does. What is its intent? Will it suddenly begin executing on some as yet undelivered command? Or is it only a test to see how fast it would be discovered? Additionally, since Stuxnet gave the coders a template, Duqu could have been developed by anyone, not just a nation state.
The experts do not yet know, or should I say, the ones who speak publically have not yet said anything. Make no mistake; the best minds in government (NSA, DHS), industry (all the computer security firms), and academia (organizations and individuals) are ALL trying to figure it out.
Stuxnet opened a new window, and Duqu is only the first of many. I have called this the Stinger Effect, referring to the Stinger ground to air missiles the US gave to the Mujahidin fighting the Soviets in Afghanistan, which we now worry will be deployed against our aircraft. Once you deploy a malware weapon, it is in the wild, and anyone can get it, reverse engineer it, and re-task the new variant.
Anything anyone uses malware wise better be worth the return, because you just might see it again. The rub is, it now may be coming directly at you and your systems.