Duqu, Stuxnet Worms May Come From Different Authors

While many security researchers believe Duqu was developed by the Stuxnet authors, there are others who believe a different team adapted the code for their purposes.

The fact that the newly discovered Duqu worm has portions of Stuxnet code has led many security researchers to call it Stuxnet 2.0, and speculate that the same team was responsible for both pieces of malware. Based on recent analysis, some researchers now believe the relationship is a little bit more distant.

While Duqu "bears a striking resemblance" to Stuxnet, there were some differences that make it likely that the developers were different, BitDefender researcher Bogdan Botezatu wrote Oct. 19 on the Malware City blog. The fact that the code was reused was actually a strong indicator that it was a different team, he said.

The general approach among malware developers is to "hit once, then dispose of the code," Botezatu wrote.

Code "reuse" is a bad practice among malware developers because most major antivirus vendors would have already developed heuristics and other detection capabilities for that code sample. When the malware is a "heavyweight" such as Stuxnet, it's even more likely that security vendors will be able to detect the new sample.

That was what actually happened, according to F-Secure's chief research officer Mikko Hypponen. F-Secure's systems originally detected Duqu as a Stuxnet variant, he said.

As for the similarity in code, while it was true that the actual source code for Stuxnet was not readily available, the rootkit's binaries had been reverse-engineered and posted online earlier this year. This meant that with a little bit of tweaking, anyone could use the code as a foundation for new pieces of malware with Stuxnet-like capabilities, according to BitDefender.

Duqu is actually a combination of at least two malicious programs, according to Kaspersky Lab. The main module-which injects a DLL file into the compromised system, works with a remote command and control server and contains a configuration file-is similar to Stuxnet in structure and in behavior, Alex Gostev, chief malware expert at Kaspersky Lab, wrote on the Securelist blog. The second program, "basically a keylogger," is what differentiates the latest worm from Stuxnet.

Duqu's authors were actually "very careful" during development, and "they were able to change the code and bypass detection by all popular antivirus programs," Gostev said, noting that most major antivirus companies didn't actually detect Duqu until after Oct. 17, when Symantec publicized its findings.

While it's likely that the main module downloaded the Duqu program after compromising the system, Duqu is functionally an independent application and can work without the main module. Likewise, the Stuxnet-module does not require the Duqu component to operate.

"The connection between the keylogger and Stuxnet is not so obvious, and that's why it's possible-at a stretch-to perhaps call it a grandchild of Stuxnet, but certainly not its child," Gostev said.

Stuxnet also has two parts, with the worm focused on infection and replication while the "warhead" targets the industrial control systems. Kaspersky had previously suggested that Stuxnet was developed by two different groups that may not have known about each other's existence or the ultimate aim of the malware.

Gostev said something similar was happening with Duqu, except there was no "warhead," as the worm did not have any active capability beyond collecting information.

BitDefender noted that Duqu's purpose was different from Stuxnet. While Stuxnet was used for military sabotage, Duqu was designed to gather information from compromised systems. Despite the kind of information it was collecting, Duqu should "be regarded as nothing short of a sophisticated keylogger," according to BitDefender.

BitDefender did not downplay the seriousness of the threat, noting that users still needed to be vigilant.

"The discovery of Duqu highlights the need for power and utilities companies to identify, classify and protect their proprietary information," Brad Bauch, a principal consultant in the energy, utilities and power generation group at PwC, told eWEEK. Even though Duqu is not designed to sabotage actual industrial control systems like Stuxnet was, utilities companies have to implement an "effective information protection strategy" to keep the data from being stolen, he said.

At this moment, it's not known what kind of organizations have been compromised by Duqu. Symantec did not disclose the information in its analysis, while McAfee researchers said certificate authorities around the world have been targeted. Kaspersky's Gostev said some of the infected companies were in Hungary.