A new analysis of the recently discovered Duqu Trojan raises questions about the origin of the malware and its links to the earlier Stuxnet worm.
The report, from Dell’s SecureWorks Counter Threat Unit (CTU), was released Thursday. Analysts at SecureWorks studied the Trojan and found that, although Duqu and Stuxnet share characteristics, including the method both use to load malicious files onto infected systems, the payloads of the two pieces of malware are “significantly different and unrelated.”
The SecureWorks analysis contrasts with those from other security vendors, including Symantec analysts, which was the first prominent security firm to analyze the malware. In an October report, analysts at Symantec argued that Duqu was built upon the Stuxnet code – possibly by the same authors and for the same purpose: to eventually compromise industrial control systems and critical infrastructure.
Analysis by researchers at Kaspersky Lab found similarities in the construction of main Duqu module and that of the Stuxnet worm, including a similar driver that injects a DLL into system processes. And, despite a small number of Duqu infections worldwide, Kaspersky said that many of those it detected emanated from Iran, as did the Stuxnet worm infections.
However, other security experts soon took issue with the Symantec analysis. Within the industrial control sector, security analysts noted that Duqu – unlike Stuxnet – did not actually target ICS systems. Rather, the Trojan worked like other families of Trojans: allowing remote attackers to monitor the activities of compromised systems and gather data from them.
Indeed, while close analysis of Stuxnet made clear its purpose (the disruption of centrifuges used for Uranium enrichment within Iran), Duqu‘s purpose is still not clear – nor is it evident that the malware has a specific purpose or target.
The SecureWorks analysis supports and expands those earlier analyses. While Duqu and Stuxnet both use a kernel driver to decrypt and load encrypted DLL (Dynamic Load Library) files – injecting the malware into specific WIndows processes, that technique “is not unique to either Duqu or Stuxnet and has been observed in other unrelated threats,” according to a post by the STU team.
As for claims that Stuxnet and Duqu were related because both use a kernel driver file that was digitally signed using a valid software signing certificate, SecureWorks says that commonality isn’t enough to prove a link between the two pieces of malware. “One would have to prove the sources are common to draw a definitive conclusion,” the researchers concluded.
The Secureworks adds voice to a chorus of second guessing the origins and purpose of the Duqu malware. In recent days, Symantec, itself, has back tracked from some of its earlier claims, clarifying that the worm didn’t target industrial control systems so much as “industrial industry manufacturers” (whatever the heck that is).