A newly surfaced version of the Duqu trojan indicates that the authors of one of the most sophisticated computer worms in recent memory are aggressively trying to figure out how to attack their next target.
Researchers at Symantec have analyzed the mysterious new file, W32.Duqu, which is one of the components of the of the Duqu trojan. Duqu is a snooping bug with some very similar code to the Stuxnet worm, which attacked a nuclear facility in Iran. The trojan crawls the world looking for security weaknesses in target systems.
The new file was compiled on February 23 and contains several code-level changes — a very scary reminder that whoever was behind the Stuxnet worm is still at it.
Checking the code we can see the authors have changed just enough of the threat to evade some security product detections, although this appears to have only been partially successful. One of the more significant changes to the code is the encryption algorithm they use to encrypt the other components on disk.
...another difference is the old driver file was signed with a stolen certificate — and this one is not. Also the version information is different in this new version compared to the previous version we have seen. In this case, the Duqu file is pretending to be a Microsoft Class driver.
Without access to more components of Duqu, the researchers can't be sure what exactly the changes mean, but they're understandably very concerned with every piece of evidence that they find. [Symantec via ABCNews]