Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/3/2012
06:11 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Same Toolkit Spawned Stuxnet, Duqu, And Other Campaigns

New Kaspersky Lab research nails down platform used for the targeted attacks, but not all researchers are sold that the exploits are all interrelated

There's one thing most Stuxnet researchers now agree on: Stuxnet and Duqu came from the same code base. And now new research backs up that theory as well as reveals that at least three additional and unrelated exploits were written from the same platform, which has been christened "Tilded" by researchers at Kaspersky Lab.

Kaspersky researchers say at least three other projects besides Duqu and Stuxnet were created with Tilded -- named for the developers' penchant for using file names that start with a tilde symbol and the letter "d" -- including a spyware module that dates back to 2007 and 2008. But still no real evidence points to the actors behind Stuxnet, Duqu, or the other attacks using the Tilded, the researchers say.

Meanwhile, other likely exploits have yet to be discovered from the same platform, researchers say.

"We don't know who the attackers are, but what we can say from all the evidence is that they are quite well-organized ... we're talking about professional software developers working in four or five different teams and each team taking care of one of the modules," says Costin Raiu, director of the global research and analysis team at Kaspersky Lab. And their focus appears to entail sabotage of some type, he says, with the support of a nation-state and with the goal of cyberespionage.

But neither Kaspersky nor Symantec, which have led much of the research into Stuxnet and Duqu, can confirm in their research the million-dollar question of just who is behind the two attack campaigns, despite heavy speculation that it's the handiwork of the U.S. and Israel attempting to derail Iran's nuclear enrichment program.

Security expert Tom Parker says while Duqu and Stuxnet could be related, that doesn't mean they are necessarily the same operation. "The missions of Stuxnet and Duqu were different: One was reconnaissance [Duqu], and the other was a proactive agent [Stuxnet]," says Parker, chief technology officer at FusionX. "I don't think there is any information technology analysis of the similarities in the code to suggest that [they are from the same operation]."

And Don Jackson, senior security researcher at Dell Secureworks, says while Kaspersky's new research basically reinforces his theory that Stuxnet and Duqu were written with the same kit, it doesn't prove they were written by the same authors. He argues that code-sharing is not as effective in attribution in malware nowadays due to the wide availability of crimeware kits. "You need to focus more on the operational parameters," he says. "What was in common with the two is that they were generated by the same kit. Now we have a name for that kit," Jackson says.

That doesn't necessarily mean they go together, however, he says. Jackson contends that Duqu was not used for reconnaissance for Stuxnet, a conclusion that Kaspersky has drawn and Symantec has suggested. "I don't believe Duqu was used as reconnaissance for Stuxnet. In fact, based on our understanding of all the findings to date, it's contraindicated," he says.

For one thing, Duqu appears to be younger than Stuxnet, according to Jackson. "If the development of the Tilded kit follows the general evolutionary pattern of development of software in general, and of practically all similar malware kits more specifically, then Duqu is younger than Stuxnet based on the common code. This is supported by analysis of incident time lines and other artifacts, such as compiler and code-signing time stamps," etc., he says.

Liam O Murchu, manager of operations for Symantec Security Response, says while Stuxnet and Duqu use the same code base, the real link is the loader file that Kaspersky studied: It's one file on the disk of an infected machine that is not encrypted. And while Murchu can't reveal details about Duqu victims, he says Duqu was targeting similar types of companies, possibly for a future Stuxnet attack. "I can say that all the companies Duqu [hit] had something useful to the business of Stuxnet," Murchu says.

And it's likely the attackers behind Duqu and Stuxnet are still operating under different attack campaigns. "They are likely still operating and reconfiguring and recompiling it to avoid security products or researchers," he says. "There could be attacks going on right now that we are not aware of."

[Lessons learned from the Stuxnet-Duqu link. See Four Takeaways From The Stuxnet-Duqu Connection.]

Meanwhile, there are several missing pieces to the Stuxnet and Duqu puzzle. First, there's "Stars," a cyberattack the Iranian government claims hit its nuclear facility in April. Researchers at first dismissed the news as either a hoax or common malware, according to Kaspersky's Raiu, but later discovered that Duqu contains a photo showing the collision of two galaxies, indicating a possible connection with Stars.

"We think that many targets in Iran were specific versions of Duqu, and that may be one of the missing pieces of the puzzle," he says.

Another question is that one of the components for the Duqu command-and-control (C&C) servers was written in a programming language that the researchers had never seen before. "It was a very curious procedural language .. we don't know why they chose to write it in a different language, and we don't know what this language is," Raiu says. "Solving this [may] help us understand who created the communication module, or if different groups don't know about one another," for example, he says.

Still a mystery, too, is how the Duqu attackers hacked the systems they used as C&C servers. "All of the computers belong to people and organizations unrelated to Duqu and had been hacked," he says. "We need a good explanation of how they accessed them."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14499
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
CVE-2020-14501
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
CVE-2020-14503
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
CVE-2020-14497
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
CVE-2020-14505
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...