Stuxnet and Duqu part of larger cybermalware campaign

Worms could be tip of malware iceberg, Kaspersky researchers suggest

The Stuxnet worm was built on the same platform used from 2007 onwards to create a family of cyber-weapon-like malware including the recently-discovered Duqu worm, a forensic analysis by Kaspersky Lab researchers has concluded.

In a detailed analysis, Kaspersky's Alexander Gotsev and Igor Soumenkov lay out the evidence for both pieces of malware having been created using a cybermalware kernel they call 'tilded' (after the tendency of its programmers to use the ~d characters at the start of filenames).

The clues to the relationship between Stuxnet and Duqu look compelling and have in part been mentioned by the company before. Both share a common design, featuring an identical division of the programs into parts carrying out similar functions.

However, while analysing a newly discovered driver file from a Chinese PC which contained Duqu files, the researchers discovered that it appeared to be a modified version of a driver file used by Stuxnet. The modification used the same certificate and had the same signing date and time, leading to the conclusion that the two pieces of malware must share common origins.

Running through the company's malware file database, the team found seven other drivers with similar characteristics, including three - rndismpc.sys, rtniczw.sys and jmidebs.sys - that still can't be related to specific pieces of malware.

These files cannot interact with any known version of Stuxnet, leaving the researchers to conclude that they were either connected to an earlier version of Duqu or represent fragments from unidentified pieces of malware created by the same team.

"There were a number of projects involving programs based on the 'tilded' platform throughout the period 2007-2011. Stuxnet and Duqu are two of them - there could have been others, which for now remain unknown," writes Alexander Gotsev or Kaspersky Lab.

The team's evidence is not conclusive but the circumstantial connections between Stuxnet and Duqu are now looking firmer, confounding sceptics who have suggested that the relationship is being overplayed as part of a fashion for geo-political software conspiracies.

In Kaspersky's analysis, the programs were part of a common effort by a single team dating back at least four years. The evolution of the malware suggests that this development is ongoing and has affected its targets in ways not yet detected or made public.

What the analysis cannot answer is who was behind what is now widely considered to be most potent cybermalware ever discovered, namely Stuxnet and probably Duqu too. Stuxnet has even recently though less convincingly been connected to the Conficker worm of 2008.

Popular security opinion blames Israel aided by the US but that is speculation. Iran's nuclear program was Stuxnet's most obvious victim but Israel and the US are far from the only countries with an interest in seeing it hindered.

"The platform continues to develop, which can only mean one thing - we're likely to see more modifications in the future," the researchers conclude.

Fifteen years legal, Australian e-signature use still lags world

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Get powerful mobile security capabilities, and protect the data the various mobile devices inside your organization.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.