This malware does not target air-gapped industrial control systems. This is just a remote administration trojan with a keylogging component. The kernel mode driver architecture and hooking method is the same (probably same code) as used in Stuxnet but the malware's purpose is information gathering only, not industrial sabotage.

This doesn't contain the payload. That means its target is not the same as Stuxnet.

I would assume that master copy of the Duqu takes over a computer then installs a recon'ing version on the USB stick that travels to the targeted facilities.

Of course this assumes Duqu's purpose/target/method are the same as Stuxnet. It could also be true that the attackers already know the info about the facility. All this strain of the virus is looking for is someone who works there.

I dunno...the ambiguity (in the article) is so high that the number of plausible scenarios is up there too.

Ditto - I thought the point of the worm was that it wasn't trying to send information back - it was trying to achieve a specific, physical purpose (ie. to disrupt some component in the nuclear facility), and not necessarily send data back?

But they did point out that it was actually sending stuff back at the top of the article, so I'm equally confused!

It is also true that air-gapped systems do a lot more checking on the way in, then they do on the way out.

That's the reason for this separate recon version. It's finds the machine that is connected to the internet at the plant, along with what websites etc the user accesses. This allows them to target that machine/user with the payload which will get onto the USB stick and into the actual factory