Stuxnet, Duqu Link Grows Stronger

Tuesday, January 3, 2012 @ 03:01 PM gHale

Stuxnet and Duqu malware are one and the same, said researchers at Kaspersky Lab, whose analysis jibes with a previous report from ISSSource.

On top of that Kaspersky said they are warning of at least three new families of advanced malware potentially in circulation.

RELATED STORIES
Stuxnet to Duqu: The Waiting Begins
Attackers Clean Out Duqu Servers
Duqu and Rumors of War
A New and Frightening Stuxnet
Stuxnet: A Chief Executive Plan
Stuxnet Report V: Security Culture Needs Work

Security experts have been debating if the two code groups are by the same authors, but some said the evidence was inconclusive. An analysis by NSS last month linked the two, but this might be down to reverse engineering, rather than the original coding.

In November, ISSSource reported Israeli concerns over Iran’s potential nuclear program reached a crescendo of frantic anxiety.

That led to American and Israeli officials heading a team effort to perfect the new Stuxnet worm, called Duqu, that may be able to bring down Iran’s entire software networks if the Iranian regime gets too close to breakout, U.S. intelligence sources said.

Researchers had examined drivers used in Stuxnet and Duqu and concluded a single team was most likely behind them both, based on the timing of their creation and their methods of interacting with the rest of the malware code, said Alexander Gostev, chief security expert at Kaspersky Lab.

“We consider that these drivers were used either in an earlier version of Duqu, or for infection with completely different malicious programs, which moreover have the same platform and, it is likely, a single creator-team,” he said.

The researcher’s data suggests both are on a common platform, dubbed Tilded because it uses many files beginning with the tilde symbol “~” and the letter “d.” The platform came into existence around 2007 or later, and updated in 2010 — possibly to evade countermeasures.

Kaspersky’s director of global research & analysis, Costin Raiu, said the platform and drivers involved would indicate five families of malware are out there using the platform already, and that others may be in development. The modularity of the systems makes it easy for the malware writers to adapt their creations to new purposes and techniques.

“It’s like a Lego set. You can assemble the components into anything: a robot or a house or a tank,” he said.