informa
Quick Hits

'Duqu' Not After Same Target As Stuxnet, Researchers Say

New Kaspersky Lab analysis finds two distinct pieces of malware
Just what the attackers behind the newly discovered Stuxnet-like "Duqu" backdoor malware are after remains unclear, but researchers at Kaspersky Lab say it isn't likely after Iranian nuclear facilities as Stuxnet had been.

"Unlike Stuxnet, the amount of infections is rather confined with Duqu. So the fact that we see Duqu in a few different countries basically rules out that it has the same target as Stuxnet," says Roel Schouwenberg, senior researcher at Kaspersky Lab. "Stuxnet clearly had one very specific target."

The malware, which originally was found in some unnamed European organizations and then analyzed by Symantec and McAfee, appears to be attacking industrial control-system vendors and certificate authorities (CAs), with multiple variants in circulation.

And according to Kaspersky Lab's analysis, the Duqu infections are made up of at least two malware programs, a main module and a keylogger. It's the main module that so closely resembles Stuxnet, not the keylogger, according to Kaspersky.

"The module is very similar to Stuxnet -- both in structure and in behavior. However, the name Duqu has almost no connection with it. This name is based on the names of the files that are related to a completely different malicious spy-program!" blogged Alex Gostev, Kaspersky Lab's chief malware expert today.

The main module comprises three elements: a driver that places a DLL into system processes, the DLL that works with the command-and-control, and a configuration file, according to Kaspersky.

"The separate keylogger is like a downloaded stand-alone plug-in for the main module -- we currently assume it's downloaded by the main module," Schouwenberg says. "It's strange to name the entire threat after a plug-in, [Duqu]. The keylogger produces the ~DQ file."

Kaspersky hasn't seen the earmarks of the original Stuxnet attack, such as a clear target against PLCs, self-replication, or zero-days, he says. "So it was very easy for people to get confused. The likeness is in the internal structures."

But Kaspersky agrees with analysis by Symantec and McAfee that the latest threat could be the handiwork of the original Stuxnet attackers, or at least someone with access to the Stuxnet source code. Schouwenberg says there's no way to know for sure whether the creators of this new malware are the same ones who wrote Stuxnet, but it's likely. "It would be a huge amount of work to get to this level of similarity by reverse-engineering," he says.

Still unknown, too, is the first phase of the attack that placed Duqu onto the infected machines. "We -- like everyone else -- are looking to find the initial installer," he says. It might be that the installer used a zero-day exploit, or some self-replication function, he says.

And if it is the same authors as Stuxnet, there are hints that they might have learned a few lessons on how to better remain under the radar this time.

"Perhaps the fact that we haven't found it -- yet -- means the creators have learned. However, as this operation may still be ongoing, any extra day we don't have the installer means an easier time for the bad guys," Schouwenberg says.

Another example of an improvement over Stuxnet is the digital certificate used in the new attack, he says. "One of the drivers was signed using a stolen digital certificate from C-Media. The signing process was where the Stuxnet authors had been a bit sloppy. With Duqu, they didn't repeat that mistake. It's signed in an 'untraceable' way," Schouwenberg says. That could indicate that if it's the same attackers that were behind Stuxnet, they have learned from their mistakes, he says.

Kaspersky's analysis of Duqu is here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: