Duqu, Stuxnet Built on Common Platform With Other Similar Super-Malware

Further analysis of the Duqu Trojan has revealed that the platform that was used to develop Stuxnet and Duqu may have been used to create similar Trojans, according to Kaspersky Lab.

By analyzing the software drivers used by both Stuxnet and Duqu, Kaspersky researchers determined that both Trojans were built on the same platform, which the security firm has dubbed “Tilded,” Alex Gostev, head of the global research and analysis team at Kaspersky Lab wrote Dec. 28 on the Securelist blog.

Both Stuxnet and Duqu appear to have been created back in late 2007 or early 2008, and other pieces of malware with similar capabilities were built on the same platform, Gostev said.

Gostev examined two key drivers and variants that were used in both Stuxnet and Duqu, as well as two previously unknown drivers that were similar to the ones used. Not only did the same group of people develop Stuxnet and Duqu, but they likely worked simultaneously on multiple variants, Gostev said. The other pieces may be in the wild and not yet detected, or the developers may have decided not to release them, he said.

“Stuxnet and Duqu are two of them-there could have been others, which for now remain unknown. The platform continues to develop, which can only mean one thing-we’re likely to see more modifications in the future,” Gostev wrote.

Stuxnet was first discovered in June 2010 when it attacked and damaged software and equipment used in Iranian nuclear facilities. Stuxnet took advantage of multiple zero-day vulnerabilities in Microsoft Windows, including an escalation-of-privilege flaw and exploited Microsoft’s AutoRun functionality to spread across computers via infected USB drives.

Duqu was discovered by researchers at CrySyS lab at the Budapest University of Technology and Economics in September and has infected machines in various countries around the world, including France, the Ukraine and Sudan. Duqu also took advantage of a zero-day vulnerability in the Microsoft Windows kernel. Unlike Stuxnet, Duqu doesn’t appear to have been designed to attack industrial control systems, but to steal information.

“We believe Duqu and Stuxnet were simultaneous projects supported by the same team of developers,” Gostev wrote.

The architecture used to create Duqu and Stuxnet appears to be the same, relying on a driver file that loads a main module designed as an encrypted library, according to the analysis. There is also a separate configuration file for the whole malicious package, as well as an encrypted block in the system registry that defines the location of the module being loaded.

Gostev said “with a fair degree of certainty” that the Tilded platform had been created around the end of 2007 or early 2008 and underwent significant changes in the summer and autumn of 2010. The malware developers had compiled a new version of a driver file a few times a year, and used the newly created reference file to load and execute the main module of some other malicious software, according to Gostev.

The developers are tweaking ready-made files instead of creating new drivers from scratch, which allows them to make as many different driver files as they like, each having exactly the same functionality and creation date, Gostev said. These files can also be signed with legitimate digital certificates and packaged into different variants.