MOUNTAIN VIEW, Calif., Oct. 20 (UPI) -- The makers of a computer virus aimed at disabling Iran's nuclear facilities appear to be back in Europe with a precursor to a new attack, U.S. experts say.
The attacks by the malware named Stuxnet in 2009 and 2010 were responsible for disabling the controls of industrial equipment used at the Iranian nuclear research site at Natanz -- causing problems for its centrifuges, President Mahmoud Ahmadinejad confirmed last year.
Now, industrial computers in Europe are being infected with a "Trojan horse" software bug similar to Stuxnet that is likely the precursor to a new attack, the U.S. computer security company Symantec said.
Liam O Murchu, a Symantec security supervisor, wrote on his official blog that European researchers had provided him with examples of a malware dubbed "Duqu," which contains sections that are nearly identical to Stuxnet and appears to have been written by the same authors.
"The real surprising thing for us is that these guys are still operating," he told Wired magazine. "We thought these guys would be gone after all the publicity around Stuxnet. That's clearly not the case.
"They've clearly been operating over the last year. It's quite likely that the information they are gathering is going to be used for a new attack. We were just utterly shocked when we found this," he added.
The Stuxnet worm represented a new threat level -- experts said it was the first discovered to be built to for spying on and subverting industrial systems. It was also the first to contain a programmable logic controller in its malicious code payload.
It attacked industrial control equipment made by the German manufacturer Siemens between June 2009 and May 2010, taking aim at specific organizations in Iran on three occasions. It infected Natanz and four other Iranian industrial facilities, The New York Times reported.
The newspaper in January said Israel had set up an array of centrifuges in an elaborate mock-up of a suspected Iranian uranium enrichment site -- something that would have been needed to provide the sophistication for programming the Stuxnet malware.
The purpose of the new Duqu malware, O Murchu said in his blog post, is to "gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party."
The attackers, he said, "are looking for information such as design documents that could help them mount a future attack on an industrial control facility."
Duqu isn't a self-replicating worm like Stuxnet, but a "Trojan horse" information-stealer that could record keystrokes and gain other secret system information.
"The attackers were searching for assets that could be used in a future attack," O Murchu said.
The security expert declined to say which European countries were attacked with the Duqu malware but did tell Wired they hadn't been grouped in any specific geographical target. He warned that could change quickly if more variants of the virus are found.
Guilherme Venere and Peter Szor of the U.S. computer security firm McAfee Labs wrote this week that there's no doubt the Duqu malware has the same authors as Stuxnet.
"The Stuxnet worm utilized two 'stolen' digital certificates belonging to two companies from Taiwan, which operated in the same business district," they wrote on their blog, while the new malware "was signed with yet another key belonging to the company Cmedia, in Taipei.
"It is highly likely that this key, just like the previous two, known cases, was not really stolen from the actual companies but instead directly generated in the name of such companies at a (commercial certificate authority) as part of a direct attack," they said.
