Security researchers at Symantec have found malware they think was written by the same people who created Stuxnet, the worm that famously disrupted a uranium enrichment plant in Iran.
Symantec's Security Response blog said that on Oct. 14 an alert came from another research lab. The lab gave Symantec samples recovered from systems in Europe. They called it Duqu (pronounced dyu-kyu, which comes from the file prefixes it creates, "~DQ.")
Duqu is a Trojan, which means it masquerades as an innocuous piece of software that nobody would notice. It gathers data from a target system, and some variants load a keylogger. The Symantec experts write in their research paper that it could well be the precursor to a Stuxnet-like attack, since Duqu does not target specific industrial systems.
Evidence of who wrote Duqu is in the source code. The code for Stuxnet is not readily available, and aside from the researchers who have studied it only the creators have the source code. (The binary files are available but that wouldn't be much help to someone who was trying to re-create it). That points to the same authors.
Mykko Hyppönen, a virus expert at F-Secure, wrote on his blog that the code used in Duqu was so similar to Stuxnet's that their systems thought it was Stuxnet.
Stuxnet was discovered in the summer of 2010. It attacks industrial control systems built by Siemens, specifically supervisory control and data acquisition systems (SCADA). Most of the infected computers were in Iran, and it was blamed for disrupting uranium centrifuges at Natanz and Busehr.
Since then there has been speculation that the worm was sent by the U.S. or Israel; a video played at a retirement party for Israeli Defense Force head Gabi Ashkenazi referred to Stuxnet as an operational success. Neither the Israeli nor U.S. governments have confirmed they created Stuxnet.
A "reconnaissance" worm like Duqu would be necessary to mount a Stuxnet-like attack, since Stuxnet had to be tailored to specific industrial equipment.