While many security researchers believe Duqu was developed by the Stuxnet authors, there are others who believe a different team adapted the code for their purposes.
The fact that the newly
discovered Duqu worm has portions of Stuxnet code has led many security
researchers to call it Stuxnet 2.0, and speculate that the same team was
responsible for both pieces of malware. Based on recent analysis, some
researchers now believe the relationship is a little bit more distant.
While Duqu "bears a
striking resemblance" to Stuxnet, there were some differences that make it
likely that the developers were different, BitDefender researcher Bogdan Botezatu wrote
Oct. 19 on the Malware City blog. The fact that
the code was reused was actually a strong indicator that it was a different
team, he said.
The general approach among
malware developers is to "hit once, then dispose of the code,"
Code "reuse" is a
bad practice among malware developers because most major antivirus vendors
would have already developed heuristics and other detection capabilities for
that code sample. When the malware is a "heavyweight" such as
Stuxnet, it's even more likely that security vendors will be able to detect the
That was what actually
happened, according to F-Secure's chief research officer Mikko Hypponen.
F-Secure's systems originally detected Duqu as a Stuxnet variant, he said.
As for the similarity in
code, while it was true that the actual source code for Stuxnet was not readily
available, the rootkit's binaries had been reverse-engineered and posted online
earlier this year. This meant that with a little bit of tweaking, anyone could
use the code as a foundation for new pieces of malware with Stuxnet-like
capabilities, according to BitDefender.
Duqu is actually a
combination of at least two malicious programs, according to Kaspersky Lab. The
main module-which injects a DLL file into the compromised system, works with a
remote command and control server and contains a configuration file-is similar
to Stuxnet in structure and in behavior, Alex Gostev, chief malware expert at
Kaspersky Lab, wrote on the Securelist blog.
The second program, "basically a keylogger," is what differentiates the
latest worm from Stuxnet.
Duqu's authors were actually
"very careful" during development, and "they were able to change
the code and bypass detection by all popular antivirus programs," Gostev
said, noting that most major antivirus companies didn't actually detect Duqu
until after Oct. 17, when Symantec publicized its findings.
While it's likely that the
main module downloaded the Duqu program after compromising the system, Duqu is
functionally an independent application and can work without the main module.
Likewise, the Stuxnet-module does not require the Duqu component to operate.
"The connection between
the keylogger and Stuxnet is not so obvious, and that's why it's possible-at a
stretch-to perhaps call it a grandchild of Stuxnet, but certainly not its
child," Gostev said.
Stuxnet also has two parts,
with the worm focused on infection and replication while the
"warhead" targets the industrial control systems. Kaspersky had
previously suggested that Stuxnet was developed by two different groups that
may not have known about each other's existence or the ultimate aim of the
Gostev said something
similar was happening with Duqu, except there was no "warhead," as
the worm did not have any active capability beyond collecting information.
BitDefender noted that
Duqu's purpose was different from Stuxnet. While Stuxnet was used for military
sabotage, Duqu was designed to gather information from compromised systems.
Despite the kind of information it was collecting, Duqu should "be
regarded as nothing short of a sophisticated keylogger," according to
BitDefender did not downplay
the seriousness of the threat, noting that users still needed to be vigilant.
"The discovery of Duqu
highlights the need for power and utilities companies to identify, classify and
protect their proprietary information," Brad Bauch, a principal consultant
in the energy, utilities and power generation group at PwC, told eWEEK. Even though Duqu is not designed
to sabotage actual industrial control systems like Stuxnet was, utilities
companies have to implement an "effective information protection
strategy" to keep the data from being stolen, he said.
At this moment, it's not
known what kind of organizations have been compromised by Duqu. Symantec did
not disclose the information in its analysis, while McAfee researchers said
certificate authorities around the world have been targeted. Kaspersky's Gostev
said some of the infected companies were in Hungary.