A new backdoor created by someone who had access to the source code of Stuxnet has been found.
Stuxnet source code is not out in-the-wild (only the binaries). Only the original authors have the source code. So, this new backdoor was created by the same party that created Stuxnet. For a refresher on Stuxnet — arguably the most important malware in history — see our Q&A.
Unlike Stuxnet, the new backdoor, known as Duqu, does not target automation or PLC gear. Instead, it's used for reconnaissance. Duqu collects various types of information from infected systems for a future attack. It's possible we'll eventually see a new attack based on the information gathered by Duqu.
The code similarities between Duqu and Stuxnet are obvious. Duqu's kernel driver (JMINET7.SYS) is actually so similar to Stuxnet's driver (MRXCLS.SYS) that our back-end systems actually thought it's Stuxnet:
Stuxnet drivers were signed with stolen certificate belonging to Taiwanese companies called RealTek and JMicron.
Duqu has a driver signed with a stolen certificate belonging to a Taiwanese company called C-Media Electronics Incorporation.
In addition of this signed driver, several other related unsigned driver files have been found, some of them claiming to be from JMicron or IBM:
The best research into Duqu so far has been done by Symantec. They've been at it for a while, and have today published a 46-page whitepaper on it.
Was Duqu written by US Government? Or by Israel? We don't know.
Was the target Iran? We don't know.
F-Secure antivirus detects Duqu generically with one of our Gen:Trojan.Heur detections.
P.S. By a coincidence, a website called ISS Source has today published a confused article talking about a new "Stuxnet-like worm" created by Google, Microsoft, and Oracle. We don't believe this article is accurate.