New variant shows Duqu attackers still in operation

Security researchers at Symantec discover a new Duqu driver compiled in February 2012.

follow Ryan Naraine on twitter
Security researchers at Symantec has flagged a new variant of the Duqu cyber-espionage Trojan, a clear sign that the attacks are still ongoing.

The latest Duqu driver was compiled in February 2012, more than four months after Duqu was first flagged as a unique piece of malware “striking similarities” to Stuxnet, the mysterious computer worm that targeted nuclear facilities in Iran.

Symantec identified the newly compiled Duqu driver as mcd9x86.sys and said it contains no new functionality beyond spying and collecting data from infected machines.

Duqu is a highly specialized Trojan capable of gathering intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party.

Kaspersky Lab's Costin Raiu says the latest variant has been engineered to escape detection by the open-source Duqu detector toolkit released by CrySyS Lab.


  • Windows kernel 'zero-day' found in Duqu attack
  • Microsoft issues temporary 'fix-it' for Duqu zero-day
  • Stuxnet 2.0? Researchers find new 'cyber-surveillance
  • Open-source Duqu detector toolkit released
  • Hungarian Lab found Stuxnet-like Duqu malware