The Duqu Trojan has been communicating with a server in one of Belgium’s largest web hosting company, Combell, according to security vendor Symantec.

The server has since been shut down following failed attempts to contact its owner, according to Combell business development manager Tom De Bast who spoke with DatacenterDynamics today. Duqu is similar in nature to Stuxnet and has even been called ‘Son of Stuxnet’, the parent virus being thought by security analysts to be concocted to targeted critical utilities, including nuclear facilitiies running industrial software.

According to security firm Venafi, the code of the malware even appears to be written by an organization with access to the original Stuxnet source code, known for its sophistication.

De Bast said despite the allegations that Duqu was communicating with a server in the data center, no requests to date had been received by legal authorities in Belgium. “We took it on our own part to shut down the server,” De Bast said. “We heard about the Symantec report on 1 November, then two days later, after not hearing from the server’s owner of the police or Belgium Computer investigators which look into these things in Belgium, we shut the server down.”

De Bast said he thought such a case was unusual for a data center such as Combell’s, which caters to the higher end of the web hosting market. “We are not cheap, we are quite expensive, and we don’t have many cloud operations here,” De Bast said.

According to an interview conducted by Reuters, the server had been leased for a week though to October 27 and had been running continuously. A Combell spokesperson was quoted by Reuters as saying: "It looks fishy . . .It's weird.

The mail log itself has almost no entries. I think they are deleting data so they don't leave traces." Duqu explained Symantec said it believes Duqu has infected six companies in countries around the world: one company with operations in France, the Netherlands, Switzerland, Ukraine, another in India, two in Iran and others in Sudan and Vietnam.

Other vendors say that companies with a presence in Austria, Hungary, Indonesia and the UK could also have been infected. Venafi directer Calum MacLeod said the security industry is facing increasingly targeted virus attacks, such as Duqu, that are becoming much more dangerous in nature. “Duqu is the embodiment of pre-attack strategies leveraged in militaries all around the world: Send in reconnaissance agents, gather intelligence and report back.

This is what this new malware does on an automated basis: gather intelligence data and other digital assets from systems that use industrial control technologies, and then relaying that information back to base,” MacLeod said. Just today, Symantec employee Vikram Thakur said in a blog post that the group that first discovered the original Duqu binaries, CrySyS, located an installer for the Duqu threat, which could hold the key to how Duqu works to infect systems.

“The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution. We contacted Microsoft regarding the vulnerability and they're working diligently towards issuing a patch and advisory. When the file is opened, malicious code executes and installs the main Duqu binaries,” Thakur said. “Once Duqu is able to get a foothold in an organization through the zero-day exploit, the attackers can command it to spread to other computers. In one organization, evidence was found that showed the attackers commanding Duqu to spread across SMB shares.”