Same Toolkit Spawned Stuxnet, Duqu, And Other Campaigns

There's one thing most Stuxnet researchers now agree on: Stuxnet and Duqu came from the same code base. And now new research backs up that theory as well as reveals that at least three additional and unrelated exploits were written from the same platform, which has been christened "Tilded" by researchers at Kaspersky Lab.

Kaspersky researchers say at least three other projects besides Duqu and Stuxnet were created with Tilded -- named for the developers' penchant for using file names that start with a tilde symbol and the letter "d" -- including a spyware module that dates back to 2007 and 2008. But still no real evidence points to the actors behind Stuxnet, Duqu, or the other attacks using the Tilded, the researchers say.

Meanwhile, other likely exploits have yet to be discovered from the same platform, researchers say.

"We don't know who the attackers are, but what we can say from all the evidence is that they are quite well-organized ... we're talking about professional software developers working in four or five different teams and each team taking care of one of the modules," says Costin Raiu, director of the global research and analysis team at Kaspersky Lab. And their focus appears to entail sabotage of some type, he says, with the support of a nation-state and with the goal of cyberespionage.

But neither Kaspersky nor Symantec, which have led much of the research into Stuxnet and Duqu, can confirm in their research the million-dollar question of just who is behind the two attack campaigns, despite heavy speculation that it's the handiwork of the U.S. and Israel attempting to derail Iran's nuclear enrichment program.

Security expert Tom Parker says while Duqu and Stuxnet could be related, that doesn't mean they are necessarily the same operation. "The missions of Stuxnet and Duqu were different: One was reconnaissance [Duqu], and the other was a proactive agent [Stuxnet]," says Parker, chief technology officer at FusionX. "I don't think there is any information technology analysis of the similarities in the code to suggest that [they are from the same operation]."

And Don Jackson, senior security researcher at Dell Secureworks, says while Kaspersky's new research basically reinforces his theory that Stuxnet and Duqu were written with the same kit, it doesn't prove they were written by the same authors. He argues that code-sharing is not as effective in attribution in malware nowadays due to the wide availability of crimeware kits. "You need to focus more on the operational parameters," he says. "What was in common with the two is that they were generated by the same kit. Now we have a name for that kit," Jackson says.

That doesn't necessarily mean they go together, however, he says. Jackson contends that Duqu was not used for reconnaissance for Stuxnet, a conclusion that Kaspersky has drawn and Symantec has suggested. "I don't believe Duqu was used as reconnaissance for Stuxnet. In fact, based on our understanding of all the findings to date, it's contraindicated," he says.

For one thing, Duqu appears to be younger than Stuxnet, according to Jackson. "If the development of the Tilded kit follows the general evolutionary pattern of development of software in general, and of practically all similar malware kits more specifically, then Duqu is younger than Stuxnet based on the common code. This is supported by analysis of incident time lines and other artifacts, such as compiler and code-signing time stamps," etc., he says.

Liam O Murchu, manager of operations for Symantec Security Response, says while Stuxnet and Duqu use the same code base, the real link is the loader file that Kaspersky studied: It's one file on the disk of an infected machine that is not encrypted. And while Murchu can't reveal details about Duqu victims, he says Duqu was targeting similar types of companies, possibly for a future Stuxnet attack. "I can say that all the companies Duqu [hit] had something useful to the business of Stuxnet," Murchu says.

And it's likely the attackers behind Duqu and Stuxnet are still operating under different attack campaigns. "They are likely still operating and reconfiguring and recompiling it to avoid security products or researchers," he says. "There could be attacks going on right now that we are not aware of."

[Lessons learned from the Stuxnet-Duqu link. See Four Takeaways From The Stuxnet-Duqu Connection.]

Meanwhile, there are several missing pieces to the Stuxnet and Duqu puzzle. First, there's "Stars," a cyberattack the Iranian government claims hit its nuclear facility in April. Researchers at first dismissed the news as either a hoax or common malware, according to Kaspersky's Raiu, but later discovered that Duqu contains a photo showing the collision of two galaxies, indicating a possible connection with Stars.

"We think that many targets in Iran were specific versions of Duqu, and that may be one of the missing pieces of the puzzle," he says.

Another question is that one of the components for the Duqu command-and-control (C&C) servers was written in a programming language that the researchers had never seen before. "It was a very curious procedural language .. we don't know why they chose to write it in a different language, and we don't know what this language is," Raiu says. "Solving this [may] help us understand who created the communication module, or if different groups don't know about one another," for example, he says.

Still a mystery, too, is how the Duqu attackers hacked the systems they used as C&C servers. "All of the computers belong to people and organizations unrelated to Duqu and had been hacked," he says. "We need a good explanation of how they accessed them."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.