Paul Ducklin, Sophos: Duqu malware spurs new Stuxnet-style conspiracy theory

October 24, 2011

The news wires have been abuzz for the past few days with stories of "a new Stuxnet". This son-of-Stuxnet malware goes by the orthographically curious name of Duqu.

(According to Symantec, Duqu got its name "because it creates files with the file name prefix ~DQ". On those grounds, Duqu is a silly name. It should have been called Twiddle-DQ, which is easier both to pronounce and to understand. As names go, it's also a lot less dull, which has to be worth something.)

Because Stuxnet targeted industrial control systems, and because it was widely reported in Iran (and also, as it happened, in India and Indonesia), conspiracy theories abounded.

At first, the world's media seemed sure that Stuxnet was intended to take out Iran's nuclear reactor facility at Busheshr. Later, the theory changed to say that the target was not the reactor facility but Iran's enrichment plant at Natanz.

The media simply followed the new theory, unashamedly declaring Natanz to be the target with the same apparent certainty with which they'd recently been insisting that Stuxnet was specifically aimed at Busheshr.

Along with speculation about what Stuxnet was designed to do, of course, came guesswork about who was responsible. Did the US write the malware? Was it Israel? Was Iran the intended target?

We might never find out what really happened in the Stuxnet case. But what about Duqu, the son of Stuxnet?

One writer already seems to know with certainty, and despite the absurdity of his claims, his story - first published on a website about industrial safety and security - is getting picked up around the world:


[Website name redacted] has learned leaders of the three major software companies, Sergey Brin at Google, Steve Ballmer at Microsoft and Larry Ellison at Oracle have been working with Israel's top cyber warriors and have now come up with new version of a Stuxnet-like worm that can bring down Iran's entire software networks if the Iranian regime gets too close to a breakout."

But Duqu has as many differences from Stuxnet as it has similarities to it. Most notably, Duqu doesn't target industrial control systems at all, and it seems to have been distributed via targeted malware attacks in Europe, not Iran.

As cyberconspiracy goes, then, this story is pretty far-gone.

Nevertheless, the idea of a US malware-hacking triumvirate made up of Messrs Page, Ballmer and Ellison made me laugh. And I found myself wondering what Apple's Tim Cook makes of the story.

Do you think he's relieved to have been omitted from this cyberconspiracy equation, or miffed to have been relegated outside the Big Three?

Paul Ducklin is Sophos's Head of Technology, Asia Pacific. He won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter at @duckblog.