Send to Kindle

Researchers are fairly confident now that whoever wrote the Duqu malware also was involved in some way in developing the Stuxnet worm. They’re also confident that they have not yet identified all of the individual components of Duqu, meaning that there are potentially some other capabilities that haven’t been documented yet.

Despite its huge public profile, Duqu is not a widespread piece of malware. In fact, there probably aren’t more than a few dozen infections at this point, experts say. The malware is being used in highly specific attacks against carefully chosen targets, and in virtually every known case, the attackers have used different encryption methods and different files. This makes detection difficult, and it also shows that the attackers aren’t in a hurry. They’re taking their time and being quite careful about the way that they conduct the attacks.

“I’d guess there are somewhere less than fifty infections around the world. It’s a very small number of targets,” Costin Raiu, director of global research and analysis at Kaspersky Lab, who has done much of the analysis of Duqu, said in a podcast interview.

When the first Duqu infection was discovered, the first component that showed up didn’t have the ability to connect to the Internet and was simply collecting data about the infected machine. It wasn’t sending that data out to a remote machine. Researchers were puzzled, so they began looking into it more deeply and began identifying more and more components linked to the attack, eventually getting to the point where they had a reasonably good picture of what Duqu does and how it works. The components differ from infection to infection, as does the encryption routine, Raiu said.

But he doesn’t think that all of the components have even been identified at this point.

“Definitely not. We haven’t seen all of the individual components. We’ve only seen two infostealers,” Raiu said.

There was a lot of speculation when Duqu first emerged about whether the attack was the work of the same group–still unknown–that had created Stuxnet and unleashed it on Iran’s nuclear facilities last year. Some of that was centered on supposed similarities in the code between the two pieces of malware, but that was before many of the individual components of Duqu had been identified and analyzed. Now that the analysis and research into the Duqu malware have advanced a bit, researchers say they’ve found more evidence that points to the malware being the work of the Stuxnet authors or their close associates.

“I’m convinced it’s the same group,” Raiu said.

He added that it may not be the same exact developers who wrote Stuxnet, but it’s certainly the work of the same “publishing house”, a group that Raiu said likely invested tens of millions of dollars in the malware’s development and deployment. That points to a small group of potential creators, a group that would have to include governments. But it’s possiblt that the attackers’ identities will stay hidden for a long time.

“We may never know who these guys are,” Raiu said.

This post was edited on Nov. 16 to fix grammatical errors.

Send to Kindle
Categories: Hacks, Malware

Comments (15)

  1. Anonymous
    2

    “But it’s possiblt that the attackers’ …”  But it’s possible that the attackers’

    The use of but here is a matter of taste, but some people may give you hell for it.

  2. Dennis Fisher
    3

    Thanks to all of the grammarians for their input. Much appreciated. Quick typing gets the better of me sometimes.

  3. Anonymous
    4

    Interesting how the United States is also right now on a public broadcast that it will take offensive action against cyber warfare coming from foreign countries.  With the Stuxnet/Duqu scare fresh in foreign security techies conciences it’s basically like we’re saying, “See what can happen (pointing to Iran), see what we can do?  Don’t make us fight back– you could be next.”

    <Insert your future comments here that our government security has no defense and no intelligence anyway here> –but it still doesn’t change that the U.S could be saying “See?? …You muck with us and we’ll Stuxnet you back.”>

    - E

  4. Anonymous
    6

    Who has the most to gain from crippling Irans development? The imbacile in the White House or that small nation Iran has sworn to destroy with a nuclear device? 

    Do you need to know the authors name? Do you think China or Russia is behind this? 

    A military grade cyber weapon was dropped on Iran! I don’t particularly care about the launch point. Are you afraid they’ll drop one on you? 

    China & Russia are making money selling Iran these components… That leaves the Chicago Marxist and Israel. Israel has the right to defend itself, on the other hand, the Chicago marxist might just be nocking off the competition and taking over the whole cabal

  5. Anonymous
    9

    So its an info-guatherer that doesn’t touch base with its home port…

    I don’t know if its just me, but that seems like someone is in the process of writing a virus and we’re just starting to see their test environment.

    Are we sure the computers that these “Duqu” infections are on are clean otherwise? Seems to me like someone is using a virus on their computer to use it to test new viruses.

    What scares me (and correct me if I’m wrong, I’m not 100% if I heard correct), is the fact that this “Duqu” virus slips its way into the bootloader.

  6. Anonymous
    10

    Maybe Duqu is involved somehow in the investigation of Iran’s nuclear program? Stuxnet targeted Iran’s nuclear program as well…

     

  7. Olera
    12

    This is pure speculation on my part – I have no information beyond what has been published by Kaspersky, Symantec, et al.

    It seems to me that if you are going to invest significant resources – time, money and intelligence (Just how much is a pool of zero day exploixts worth anyway?), then you would design a system that is highly reusable and highly configuable. The malware’s ‘compiler’ would produce ‘code’ that is very tight and easily customized to a specific target and specific penetrations prior to reaching the target.

    Any function that is not specifically needed is never present.  Functions that are needed only at specific points would be removed once they are no longer needed.  It would be written to be the ultimate in dynamically updatable software. The payload could be anything – chosen at any point in time – and the payload would only be present in the ‘code’ once you knew you had acquired the desired target. I would view including the payload in instances that have infected non-targets as a serious mistake – and one I would correct in something akin to Stuxnet 2.0

    It would be, in essence, a chimera.  What you would typically see ‘in the wild’ would be just a tiny fraction of the whole.

  8. Anonymous
    14

    The “Chicago Marxist”?  Sheesh.  And he’s in league with that other Marxist organization, the NSA?  I guess you wish we still had that freedom- and civil-rights-loving Dear Leader, GWB in office.  Those were the good, ol’ days, right?

  9. Anonymous
    15

    Since you went there, there’s also “Despite it’s huge…” instead of “Despite its huge…”

    And that is also what she said…

Comments are closed.