Duqu malware spurs new Stuxnet-style conspiracy theory

Filed Under: Featured, Google, Malware, Microsoft, Oracle

The news wires have been abuzz for the past few days with stories of "a new Stuxnet". This son-of-Stuxnet malware goes by the orthographically curious name of Duqu.

(According to Symantec, Duqu got its name "because it creates files with the file name prefix ~DQ". On those grounds, Duqu is a silly name. It should have been called Twiddle-DQ, which is easier both to pronounce and to understand. As names go, it's also a lot less dull, which has to be worth something.)

Because Stuxnet targeted industrial control systems, and because it was widely reported in Iran (and also, as it happened, in India and Indonesia), conspiracy theories abounded.

At first, the world's media seemed sure that Stuxnet was intended to take out Iran's nuclear reactor facility at Busheshr. Later, the theory changed to say that the target was not the reactor facility but Iran's enrichment plant at Natanz.

The media simply followed the new theory, unashamedly declaring Natanz to be the target with the same apparent certainty with which they'd recently been insisting that Stuxnet was specifically aimed at Busheshr.

Along with speculation about what Stuxnet was designed to do, of course, came guesswork about who was responsible. Did the US write the malware? Was it Israel? Was Iran the intended target?

We might never find out what really happened in the Stuxnet case. But what about Duqu, the son of Stuxnet?

One writer already seems to know with certainty, and despite the absurdity of his claims, his story - first published on a website about industrial safety and security - is getting picked up around the world:

[Website name redacted] has learned leaders of the three major software companies, Sergey Brin at Google, Steve Ballmer at Microsoft and Larry Ellison at Oracle have been working with Israel's top cyber warriors and have now come up with new version of a Stuxnet-like worm that can bring down Iran's entire software networks if the Iranian regime gets too close to a breakout."

But Duqu has as many differences from Stuxnet as it has similarities to it. Most notably, Duqu doesn't target industrial control systems at all, and it seems to have been distributed via targeted malware attacks in Europe, not Iran.

As cyberconspiracy goes, then, this story is pretty far-gone.

Nevertheless, the idea of a US malware-hacking triumvirate made up of Messrs Page, Ballmer and Ellison made me laugh. And I found myself wondering what Apple's Tim Cook makes of the story.

Do you think he's relieved to have been omitted from this cyberconspiracy equation, or miffed to have been relegated outside the Big Three?

, , , , , , , , , ,

You might like

9 Responses to Duqu malware spurs new Stuxnet-style conspiracy theory

  1. guest · 1100 days ago

    "Twiddle" is kind of an obscure usage. It's more commonly called a "tilde".

  2. Guest · 1100 days ago

    Highly unlikely that the heads of the Big Three are (directly) involved in military activities. There are plenty of talented people with specific job descriptions who can do this.

  3. Mikko Hypponen wrote about that story right after Duqu was announced by Symantec so I would think it is older than Duqu and unrelated. And nonsense as well. Did Obama and Netanyahu write bits of code too?

  4. abadidea · 1100 days ago

    That's a heck of a "citation needed."

    I'm trying to decide which of those three people amuses me the most in this context. Probably Ellison. Why on earth would someone go to Oracle for help writing Windows malware?

  5. Richard · 1100 days ago

    Given the name, this was obviously written by Darth Tyranus! :D http://starwars.wikia.com/wiki/Dooku

  6. ~ = twiddle; * = splat; !=bang

    Twiddle is "new" and I promise to use it.

    • Paul Ducklin · 1099 days ago

      I've known "~" as "twiddle" (in both South African and British English) for 20 years or more.

      I've also known "!" as "shriek" since my schooldays, so that N factorial, written "N!", is pronounced "N-shriek".

      Now, in British and other non-American Englishes, "#" is read by coders as "hash" (not "sharp").

      So the Americanism "shebang" for the Unix interpreter directive marker ("#!") can rather more groovily be called a "hashriek".

  7. I shall now expand my vocabulary to include twiddle from now on!

    This reminds me of the time when I learned what a whipper-snapper was. Ah, but I do enjoy the English language.

    Spiffing!

    • Paul Ducklin · 1099 days ago

      In the UK, a motorised weed cutter is known by the genericised tradename "strimmer".

      In Oz, however, the commonly-used genericised trade name is a pun on "whipper-snapper" - motorised weed cutters down under are called "whipper-snippers".

      Amazing what you can learn on Naked Security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog