The Internet is under assault by a highly sophisticated cyber weapon called Duqu designed by digital warriors to wreak cyber-havoc on the critical cyber-infrastructure of the Western world. Or else it isn’t.
The emergence of Duqu this week has been accompanied by a huge amount of speculation and discussion about the malware being a direct descendant of Stuxnet. There are some key pieces of evidence in the makeup and behavior of Duqu, as well as the circumstances of its discovery, that have led many people to jump to the conclusion that the two malware samples are indeed somehow related. Specifically, there is some code in the main Duqu module that is nearly identical to bits of code in Stuxnet, and researchers have found that the structure of the two is also quite similar.
Both Duqu and Stuxnet utilize a modular architecture that comprises a main module with a driver or set of drivers that injects a DLL into system processes. There also is a DLL that includes another module and some code to connect to a command-and-control server, and a configuration file. Stuxnet also includes a separate component that is the payload, and that payload could be swapped out for a different one at any point. Duqu, on the other hand, does not include that payload, but instead has a completely separate component that is basically a keylogger.
One other key similarity is that both Stuxnet and Duqu make use of stolen digital certificates to sign one or more of their drivers, a technique that can help the malware components evade detection.
But that’s about as far as the similarities go. Do those pieces of evidence, taken together, prove that Duqu is indeed the spawn of Stuxnet, or that it was even written by the same group who created Stuxnet? No. Nor does it in any way indicate that Duqu was meant to be used as a weapon to disrupt the operation of industrial control systems or other systems linked to critical infrastructure. In fact, Duqu doesn’t include any components capable of attacking ICS machines.
What the available evidence shows is that both Stuxnet and Duqu were designed to be quite stealthy and compromise specific types of systems. For its part, Stuxnet clearly was built with the singular goal of attacking specific PLCs in mind. It accomplished this goal, but because of some unforeseen events, the worm also made its way to some Windows machines and began spreading on consumer PCs, which hastened its detection.
Duqu also was built with a specific goal in mind, researchers say, but it’s not so clear yet what that goal might be.
“Unlike Stuxnet, which infected many systems but looked for a specific target, Duqu infects a very small number of very specific systems around the world, but may use completely different modules for every system. Moreover, at the moment no one has found the installation file (dropper), which has to be the first link in the infection chain – responsible for both the driver and DLL installation. This file might be a worm and use various exploits. This file is the key to solving the Duqu puzzle,” Aleks Gostev, chief malware expert at Kaspersky Lab wrote in his thorough analysis of Duqu.
It’s entirely possible that Duqu is the work of the same group that wrote Stuxnet. In fact, many researchers say that’s the most plausible theory, given that the Stuxnet source code is not publicly available. Another, less likely, scenario is that the Stuxnet authors were somehow compromised themselves and the Stuxnet code was taken and reused.
But, in some ways, it’s not really important who wrote Duqu. One would assume that the Stuxnet authors, having been successful in their attempt to use Stuxnet to compromise a nuclear facility in Iran, might take on another assignment. Researchers say that there are several known variants of Duqu in the wild right now, and there’s no way of knowing how many others might be circulating, quietly going to work.
What’s more important in all of this is that in the current climate, simply invoking the name of Stuxnet immediately triggers a set of assumptions and conclusions about the nature of the threat. Saying that Duqu or any other piece of malware is the “son of Stuxnet” or the like implies that the malware is designed to be a targeted weapon and has overtones of the often hysterical discussions about cyberwar. One need only glance at the headlines in the mainstream press about Duqu to see how quickly this happens.
As such highly targeted attacks become more and more prevalent and the topic of electronic warfare and espionage gains more currency in the popular culture, those in the security community who understand the nature and seriousness of these threats and attacks should take it upon themselves to be careful about using Stuxnet as the basis for comparison. It clouds the issue and drowns out any substantive discussions that might take place.