Researchers are fairly confident now that whoever wrote the Duqu malware also was involved in some way in developing the Stuxnet worm. They’re also confident that they have not yet identified all of the individual components of Duqu, meaning that there are potentially some other capabilities that haven’t been documented yet.
Despite its huge public profile, Duqu is not a widespread piece of malware. In fact, there probably aren’t more than a few dozen infections at this point, experts say. The malware is being used in highly specific attacks against carefully chosen targets, and in virtually every known case, the attackers have used different encryption methods and different files. This makes detection difficult, and it also shows that the attackers aren’t in a hurry. They’re taking their time and being quite careful about the way that they conduct the attacks.
“I’d guess there are somewhere less than fifty infections around the world. It’s a very small number of targets,” Costin Raiu, director of global research and analysis at Kaspersky Lab, who has done much of the analysis of Duqu, said in a podcast interview.
When the first Duqu infection was discovered, the first component that showed up didn’t have the ability to connect to the Internet and was simply collecting data about the infected machine. It wasn’t sending that data out to a remote machine. Researchers were puzzled, so they began looking into it more deeply and began identifying more and more components linked to the attack, eventually getting to the point where they had a reasonably good picture of what Duqu does and how it works. The components differ from infection to infection, as does the encryption routine, Raiu said.
But he doesn’t think that all of the components have even been identified at this point.
“Definitely not. We haven’t seen all of the individual components. We’ve only seen two infostealers,” Raiu said.
There was a lot of speculation when Duqu first emerged about whether the attack was the work of the same group–still unknown–that had created Stuxnet and unleashed it on Iran’s nuclear facilities last year. Some of that was centered on supposed similarities in the code between the two pieces of malware, but that was before many of the individual components of Duqu had been identified and analyzed. Now that the analysis and research into the Duqu malware have advanced a bit, researchers say they’ve found more evidence that points to the malware being the work of the Stuxnet authors or their close associates.
“I’m convinced it’s the same group,” Raiu said.
He added that it may not be the same exact developers who wrote Stuxnet, but it’s certainly the work of the same “publishing house”, a group that Raiu said likely invested tens of millions of dollars in the malware’s development and deployment. That points to a small group of potential creators, a group that would have to include governments. But it’s possiblt that the attackers’ identities will stay hidden for a long time.
“We may never know who these guys are,” Raiu said.
This post was edited on Nov. 16 to fix grammatical errors.