Duqu Server Shut Down In India

Indian authorities have seized equipment from a data centre in Mumbai as part of the global investigation into the Duqu worm, which first appeared earlier this month.

Symantec researchers who discovered the malware said that its current primary purpose appeared to be to gather intelligence from industrial control systems and had no clear targets.

Important clues

According to Symantec, Duqu only creates a backdoor on infected systems and connects to a command and control server somewhere in India before self-destructing after 36 days.

This server appears to be located at a web-hosting company called Web Werks. Two workers from the company told Reuters that officials from India’s Department of Technology retrieved several hard drives and components from a server that Symantec told them was communicating with computers affected by Duqu.

One of the workers said that they had no idea how the malware got into the server, adding that they could not identify the customer. The seized equipment might hold valuable clues in the investigation into Duqu’s origins and how it operates.

Symantec first discovered the Duqu virus on 14 October and said that it shared so much code with Stuxnet, that it must have been developed by the same team or by someone with access to the source code.

Discovered last year, Stuxnet is considered by some to be one of the most sophisticated pieces of malware ever seen and that the time and resources necessary to develop such a virus meant that a nation state must have been behind its creation.

Stuxnet was believed to be behind the attacks on several industrial control systems at Iran’s Natanz nuclear facility, something which observers said had set the country’s nuclear programme back by several years