Duqu, Stuxnet link unclear
- 27 October, 2011 13:34
A report by Dell SecureWorks on Wednesday debunked the idea that the newly discovered Duqu Trojan is related to last year's Stuxnet worm or was created by the same authors.
According to SecureWorks, there are some similarities in code and function between Duqu and Stuxnet, but there's little conclusive proof the two are linked . "Supporting evidence is circumstantial at best and insufficient to confirm a direct relationship," SecureWorks said.
The Duqu Trojan was discovered earlier this month by a little-known Hungarian lab called the Laboratory of Cryptography and System Security. In a report last week, Symantec called the Trojan a precursor to the next Stuxnet and said that Duqu shared a lot of its source code with Stuxnet and was likely created by the same authors.
Unlike Stuxnet, Duqu is not directly targeted at industrial control systems, Symantec noted. Its main purpose is to let attackers steal data from manufacturers of industrial control systems that can then be used to craft attacks against entities using such systems.
But Jon Ramsey, CTO at Dell SecureWorks, said that any link between Duqu and Stuxnet appears tenuous at best.
Both Duqu and Stuxnet are sophisticated pieces of malware featuring multiple components. All of the supposed similarities between the two exist in just one of those components, Ramsey said.
Both Duqu and Stuxnet use a kernel driver to decrypt and load certain encrypted files on the infected computer. The kernel driver serves as an "injection engine" for loading the files into a specific process, according to SecureWorks. "The kernel drivers for both Stuxnet and Duqu use many similar techniques for encryption and stealth, such as a rootkit for hiding files," the security vendor said in its report.
But that doesn't mean the two are directly related, Ramsey said, noting that kernel-level rootkits have been used before and are not unique to Stuxnet or Duqu. Previously discovered malware threats such as BlackEnergy 2 and Rustock both used a similar kernel-level rootkit, Ramsey said.
The fact that Duqu's kernel driver was signed using a code signing certificate associated with Stuxnet has been held up as a sign that the two are related. But compromised signing certificates such as the one used by Duqu can be obtained from several sources, Ramsey said. Someone would have to prove that the source of both the Duqu and Stuxnet certificates was the same in order to draw a definite conclusion, he said.
Other than the similarities in the kernel drivers, Duqu and Stuxnet are quite different in almost all other aspects , Ramsey said.
Duqu is designed purely for data theft and for providing remote access to a compromised system; Stuxnet was purpose-built for attacking industrial control systems. There's nothing in Duqu to suggest it was designed specifically to steal ICS data.
Stuxnet exploited four zero-day vulnerabilities, while Duqu exploits none, Ramsey said. Stuxnet also used peer-to-peer technologies and network shares to propagate while Duqu does not appear designed for self-propagation. Also, while Stuxnet came with a built-in capability for stealing information, Duqu only has add-on data exfiltration capabilities.
"Compared to Stuxnet, Duqu is not in the same ballpark," he said. "Five years ago, Duqu would have been pretty phenomenal. Today such kernel-level rootkits are common."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about security in Computerworld's Security Topic Center.