Because Duqu's architecture is very flexible, it can update itself, change command-and-control (C&C) servers and install other components at any time. In fact, Kaspersky didn't find the original keylogger module on any of the infected systems in Sudan or Iran, meaning that it was either encoded differently or replaced with another one.
"We cannot rule out that the known C&C in India was used only in the first known incident [...] and that there are unique C&Cs for every single target, including targets found by us," Kaspersky's researchers also noted.
They also believe that the people behind Duqu are reacting to the situation and are not going to stop. As the hunt for new information continues, we'll likely see more developments in the days to come.
Sign up for Computerworld eNewsletters.