Stuxnet Clone 'Duqu': The Hydrogen Bomb of Cyberwarfare?

If the Stuxnet virus was the atom bomb of cyberwarfare, then the discovery this week of the "Duqu" virus is the hydrogen bomb, security experts are warning.

It is the second major weaponized virus to turn computers into lethal weapons with devastating destructive power.

The new program, discovered by Symantec on Tuesday with the help of an unnamed research lab, uses much of the same code as the 2010 Stuxnet virus did. But instead of destroying the systems it infects, Duqu secretly penetrates them and, according to some experts, creates “back door” vulnerabilities that can be exploited to destroy the networks at any time its creators may choose.

The original Stuxnet malware was the culmination of a vast technical and espionage effort that had only one target in mind: the Iranian nuclear program. And is widely believed to be the work of the United States and Israel. Experts who looked at the program were amazed at its ability to penetrate Iran’s secure, highly protected security system and destroy it without being detected.

Its success set back the Iranian nuclear program for years.

More On This...

Experts were also amazed at the depth of information that had been collected on the Iranian program, information that allowed its secure nuclear system to be penetrated so easily and without detection. Among those elements, according to Ralph Langer who was one of the first to dissect the Stuxnet virus, were stolen certificates of authorization, highly protected codes that power Siemens industrial computers, and the internal workings of Iran’s computer systems. Much of it, they surmised, had to be done using human rather than computer intelligence agents.

With Duqu that is no longer the case.

According to Michael Sconzo, a senior security officer at worldwide computer security company RSA, the new virus embeds itself in computer systems for 36 days and “analyzes and profiles” the system's workings before sending its findings out to a a secure server and self destructing.

“It's an intelligence operation,” he told “We still aren’t sure of all the things it looks for yet but it is a likely precursor to an attack. It is a Trojan horse.”

But he said its intention is to to allow its users to understand the inner workings of the targeted computer system to create malware that can attack the system.

Among the things currently known is that it records is every keystroke used on a system, allowing it to learn and pass on passwords to various systems inside the network, thus making future penetration much easier.

He speculated that the 36-day window might allow the program to collect password patterns because many companies require password changes every thirty days.

As with Stuxnet, there are still a number of open questions that security firms around the word are still trying to answer, Sconzo said.

Among them: Which companies have been hit; how extensive is the collection of data from their computers; and, because of the short period of penetration, how imminent is an attack.

And the most important question still remains open: Who's behind the attacks?

Several experts have suggested that the perpetrators must be the same group that created Stuxnet. That's far from certain, Sconzo said

“The Stuxnet code has been out there for some time,” he told “Anyone with a decent knowledge of computers could reverse engineer it.”

While that raises the possibility of Iranian retaliation for Stuxnet, which has been a cause of concern for some time, or even terrorists, he said there was too much not yet known to draw any conclusions about authorship.

“Just who is doing it may be the most important question we need to answer,” he said, because its discovery raises a great deal of “fear, uncertainty and doubt.”

“There is nothing out there available to stop it,” he said.