Duqu, Stuxnet likely from same developers

The notorious Trojan malwares Duqu and Stuxnet appear to be handiwork of a single developer group, a computer security firm said.

 

Kaspersky Labs said it is possible the same development team could already have developed similar malware that is “flexibly adaptable” to specific targets.

 

“Some of the similarities include a software driver within Duqu and Stuxnet that commanded how the malwares would work when it infects a computer. Among the few key differences is the date of the signing of the digital certificate,” Kaspersky said.

 

A team led by Kaspersky Labs chief security expert Alexander Gostev discovered the similarities between the two malware in 2011, while trying to identify the source of these Trojans.

 

The team learned Duqu, Stuxnet, and a number of malwares discovered in 2011 used a development platform called “Tilded,” using the tilde symbol (“~”) in many of these malware.

 

Gostev noted the Tilded platform was created around 2007 or early 2008, and underwent more significant changes in late 2010.

 

“The significant changes in the Tilded platform was fueled, most likely, by the need for malware creators to make their malwares less detectable to antivirus applications,” Kaspersky said.

 

Also, Gostev said the drivers from the still unknown malicious programs cannot be attributed to activity of the Stuxnet and Duqu Trojans.

 

“The methods of dissemination of Stuxnet would have brought about a large number of infections with these drivers; and they can’t be attributed either to the more targeted Duqu Trojan due to the compilation date. We consider that these drivers were used either in an earlier version of Duqu or for infection with completely different malicious programs. Moreover, these could have been same platform and, it is likely, a single creator-team,” he said.

 

Meanwhile, other malwares that are yet to be identified also had some similarities to either Duqu or Stuxnet, fueling speculation on the source of these malware.

 

Duqu was discovered “in the wild” in late 2011 while Stuxnet has been spreading since mid-2010.

 

Both infect specific, industrial machines, then capture specific information and commands, then send these to the one where the malware was deployed.

 

Administrators of these industrial devices that were infected often do not know of the presence of Duqu or Stuxnet unless they run a systems analysis of their information technology infrastructure.

 

“It has been speculated that the purpose of Duqu, Stuxnet and their similar malware is for espionage as some of the infections were found in nuclear power plant facilities, especially in Iran,” Kaspersky said.

 

Gostev said there were projects involving programs based on the “Tilded” platform from 2007 to 2011.

 

“Stuxnet and Duqu are two of them – there could have been others, which for now remain unknown. The platform continues to develop, which can only mean one thing – we’re likely to see more modifications in the future,” Gostev said. — TJD, GMA News