Duqu worm targets Iran, Sudan
Kaspersky reveals four new attacks since worm was first discovered
Duqu, the malicious program that seems to be related to the infamous Stuxnet worm, has attacked three users in Iran and one in Sudan since it was first detected earlier this month, according to Kaspersky.
Kaspersky said that the first of the two network attack attempts on Iran took place on 4th October, the second on 16th October, and both originated from an IP address which formally belonged to a US internet provider.
"Despite the fact that the location of the systems attacked by Duqu are located in Iran, to date there is no evidence of their being industrial or nuclear program-related systems. As such, it is impossible to confirm that the target of the new malicious program is the same as that of Stuxnet. Nevertheless, it is clear that every infection by Duqu is unique. This information allows one to say with certainty that Duqu is being used for targeted attacks on pre-determined objects," said Alexander Gostev, chief security expert at Kaspersky Lab.
In the Iranian infections there were found to have been two network attack attempts exploiting the MS08-067 vulnerability, this vulnerability was also exploited by Stuxnet and also another, older, malicious program, Kido.
Duqu is apparently a universal hacking tool that can be changed according to the given task and can carry out targeted attacks on a limited number of objects, according to Kaspersky Lab experts.
In each of the four Duqu infections a unique modification of the driver necessary for infection was used.
Researchers also discovered that other elements of Duqu were likely to exist, but had yet to be found, hinting that the workings of the malicious program could be changed depending on the particular target being attacked.