• United States



Did Symantec jump the gun on this Duqu-Stuxnet thing?

Oct 19, 20113 mins
Data and Information Security

Some on Twitter suggest Symantec is making way too much of its Duqu findings in the rush to capitalize on the Stuxnet hype.

To recap: Symantec said yesterday that its researchers are analyzing a newly discovered “targeted threat that shares a great deal of code in common with the infamous Stuxnet malware.” The authors of this new threat, named Duqu, apparently had access to the Stuxnet source code, not just its binaries. “Thus, it is possible Duqu was created by the same attackers that created Stuxnet,” the spokesman said.

From what researchers can tell, Duqu’s mission is to gather intelligence data and assets from entities like industrial control system manufacturers, to more easily conduct a future attack against another third party.

Here’s a string of tweets from security practitioner Scot A Terban (@krypt3ia), a fellow I follow and respect for his willingness to frequently challenge popular opinion:

So, this paper by Symantec.. Anyone else read between the lines “Hurried to post this online first before thinking it through” ??? #duqu…

I think my heads about to explode.. The weapons grade stupid over #duqu is already reaching critical mass…

I reached out to him for some more elaboration and he directed me to his blog, in which he wrote:

Now, sure, the code base appears to be Stuxnet’s and yes, there are similarities because of this, however, calling this Stuxnet Redux or “Son of Stuxnet” is just a way of patently seeking attention through tabloid style assumptions put on the Internet. Let me pick this apart a bit and you decide…

Code Bases and Re-Tasking:

So ok, the coders seemed to have access to the FULL source of Stuxnet. It has been out there a while and surely some people in the world of “APT” have had access to this. It’s not like it was some modified version of Ebola kept at Sverdlosk at Biopreparate. Had you even considered that it was released on purpose as chaff to get others to tinker with it and thus middy the waters?

I’m guessing not from the report that I read, hurried as it was and full of conclusions being jumped to. In fact, Symantec even said that they had not fully audited the code! C’mon…

I’ll leave it to y’all to check out the rest of his post, but it’s quite good.

So now I ask you: Does Symantec’s report strike you as a rush job, or is there something to it?


–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!