Gostev thinks the Iranians might have found Duqu without realizing it.
“Most probably, the Iranians found a keylogger module that had been loaded onto a system,” he wrote. “It’s possible that the Iranian specialists found just the keylogger, while the main Duqu module and the dropper (including the documents that contained the then-unknown vulnerability) may have gone undetected.”
Perhaps most ominously, there are enough differences among the known variants of Duqu to lead Gostev to suspect that the Trojan’s creators are carefully tailoring the malware package for each specific target as needed, if the compilation dates on the main Trojan component are accurate.
“This fact shows that the authors build a separate set of files for each specific victim, and do so right before the attack,” Gostev wrote.
Such fine-tuning would make Duqu and its creators more sophisticated and persistent that the so-called “advanced persistent threat” attacks — widely assumed to be coming from China — that have penetrated Western companies over the past few years.