On Tuesday, Symantec came forward with details on a file that it recently received, which after being analyzed, proved to be a new variant of W32.Duqu—the first new version of Duqu that Symantec has found this year. While the sample received by Symantec isn't the full code used in the threat, it's the key component needed to fully infect a system—the loader file that loads the full malware and stores it in an encrypted state on a system once it restarts.
The newly discovered Duqu variant came from Iran, Vikram Thakur, principal manager, Symantec Security Response told SecurityWeek.
Information on the command and control server that the sample would potentially use to connect to was not available in the new file, Thakur said. "The author(s) changed the encryption algorithm they use to encrypt the other components on disk. Also the driver was changed to evade AV coverage. That leads us to believe development of Duqu is still ongoing."
While Duqu is assumed to have been created by the same authors as Stuxnet, unlike Stuxnet, it does not contain any components that attempt to control industrial control systems, but instead is primarily a remote access Trojan (RAT) designed to collect intelligence data and assets, possibly for use in future attacks.