The Takeaway: What’s behind the Duqu 2.0 hit on Kaspersky Lab

Eugene Kaspersky has a theory about why the hackers who created the Duqu 2.0 malware : They wanted intelligence.

“I’m pretty sure they were watching,” Kaspersky said during a news conference Wednesday that was webcast. “Maybe they were interested in some specific attacks we were working on. Or maybe they wanted to see if we could catch them.”

The high-level malware gets its name from the four-year-old Duqu, which is itself thought to be related to the infamous Stuxnet malware. It was used to infiltrate Kasperky Lab’s systems, where it apparently remained hidden for several months before being uncovered.

At yesterday’s news conference in London and in a post on Forbes.com, Kaspersky called the hackers “stupid, but greedy” and offered up his thoughts on what was behind the attack:

• The attackers may have been seeking insight and information about Kaspersky’s security technology, more specifically how the firm finds malware and decides what to analyze more fully. That intelligence would be valuable for hackers looking to craft  future malware that could better escape detection.
• The attack may have been a simple ego play, “the urge of the hunter to hang the head of a big lion on a wall,” Kaspersky wrote on Forbes.com. “…If that is the case, the attackers messed up: now we know how to catch a new generation of stealthy malware developed by them.”
• Surprisingly, the hackers apparently weren’t after Kaspersky’s customers. The antivirus firm found no evidence that Duqu accessed customer or partner information.

In the Forbes.com post, Kaspersky called Duqu 2.0 “extremely innovative and advanced” and noted that since it lives in system RAM and avoids making changes to a hard drive, it’s difficult to spot. Even so, “no matter the reasons behind this attack, the bad guys have lost a very expensive and sophisticated framework they’d been developing and nurturing for years.”

With reports from Gregg Keizer at Computerworld.