Kaspersky Lab researchers believe the same platform that was used to build the Duqu and Stuxnet Trojans may have been used to develop other similar variants.
Further
analysis of the Duqu Trojan has revealed that the platform that was used to
develop Stuxnet and Duqu may have been used to create similar Trojans,
according to Kaspersky Lab.
By analyzing
the software drivers used by both Stuxnet and Duqu, Kaspersky researchers
determined that both Trojans were built on the same platform, which the
security firm has dubbed "Tilded," Alex Gostev, head of the global
research and analysis team at Kaspersky Lab wrote Dec. 28 on the Securelist blog.
Both Stuxnet
and Duqu appear to have been created back in late 2007 or early 2008, and other
pieces of malware with similar capabilities were built on the same platform,
Gostev said.
Gostev
examined two key drivers and variants that were used in both Stuxnet and Duqu,
as well as two previously unknown drivers that were similar to the ones used.
Not only did the same group of people develop Stuxnet and Duqu, but they likely
worked simultaneously on multiple variants, Gostev said. The other pieces may
be in the wild and not yet detected, or the developers may have decided not to
release them, he said.
"Stuxnet
and Duqu are two of them-there could have been others, which for now remain
unknown. The platform continues to develop, which can only mean one thing-we're
likely to see more modifications in the future," Gostev wrote.
Stuxnet was
first discovered in June 2010 when it attacked and damaged software and
equipment used in Iranian nuclear facilities. Stuxnet took advantage of
multiple zero-day vulnerabilities in Microsoft Windows, including an
escalation-of-privilege flaw and exploited Microsoft's AutoRun functionality to
spread across computers via infected USB drives.
Duqu was
discovered by researchers at CrySyS lab at the Budapest University of Technology
and Economics in September and has infected machines in various countries
around the world, including France, the Ukraine and Sudan. Duqu also took
advantage of a zero-day vulnerability in the Microsoft Windows kernel. Unlike
Stuxnet, Duqu doesn't appear to have been designed to attack industrial control
systems, but to steal information.
"We
believe Duqu and Stuxnet were simultaneous projects supported by the same team
of developers," Gostev wrote.
The
architecture used to create Duqu and Stuxnet appears to be the same, relying on
a driver file that loads a main module designed as an encrypted library,
according to the analysis. There is also a separate configuration file for the
whole malicious package, as well as an encrypted block in the system registry that
defines the location of the module being loaded.
Gostev said
"with a fair degree of certainty" that the Tilded platform had been
created around the end of 2007 or early 2008 and underwent significant changes
in the summer and autumn of 2010. The malware developers had compiled a new
version of a driver file a few times a year, and used the newly created
reference file to load and execute the main module of some other malicious
software, according to Gostev.
The developers
are tweaking ready-made files instead of creating new drivers from scratch,
which allows them to make as many different driver files as they like, each
having exactly the same functionality and creation date, Gostev said. These
files can also be signed with legitimate digital certificates and packaged into
different variants.
Email
Print
