Duqu, Stuxnet link unclear
Dell SecureWorks says there's little real proof that Duqu is related to Stuxnet
Computerworld - A report by Dell SecureWorks on Wednesday debunked the idea that the newly discovered Duqu Trojan is related to last year's Stuxnet worm or was created by the same authors.
According to SecureWorks, there are some similarities in code and function between Duqu and Stuxnet, but there's little conclusive proof the two are linked. "Supporting evidence is circumstantial at best and insufficient to confirm a direct relationship," SecureWorks said.
The Duqu Trojan was discovered earlier this month by a little-known Hungarian lab called the Laboratory of Cryptography and System Security. In a report last week, Symantec called the Trojan a precursor to the next Stuxnet and said that Duqu shared a lot of its source code with Stuxnet and was likely created by the same authors.
Unlike Stuxnet, Duqu is not directly targeted at industrial control systems, Symantec noted. Its main purpose is to let attackers steal data from manufacturers of industrial control systems that can then be used to craft attacks against entities using such systems.
But Jon Ramsey, CTO at Dell SecureWorks, said that any link between Duqu and Stuxnet appears tenuous at best.
Both Duqu and Stuxnet are sophisticated pieces of malware featuring multiple components. All of the supposed similarities between the two exist in just one of those components, Ramsey said.
Both Duqu and Stuxnet use a kernel driver to decrypt and load certain encrypted files on the infected computer. The kernel driver serves as an "injection engine" for loading the files into a specific process, according to SecureWorks. "The kernel drivers for both Stuxnet and Duqu use many similar techniques for encryption and stealth, such as a rootkit for hiding files," the security vendor said in its report.
But that doesn't mean the two are directly related, Ramsey said, noting that kernel-level rootkits have been used before and are not unique to Stuxnet or Duqu. Previously discovered malware threats such as BlackEnergy 2 and Rustock both used a similar kernel-level rootkit, Ramsey said.
The fact that Duqu's kernel driver was signed using a code signing certificate associated with Stuxnet has been held up as a sign that the two are related. But compromised signing certificates such as the one used by Duqu can be obtained from several sources, Ramsey said. Someone would have to prove that the source of both the Duqu and Stuxnet certificates was the same in order to draw a definite conclusion, he said.
Other than the similarities in the kernel drivers, Duqu and Stuxnet are quite different in almost all other aspects, Ramsey said.
Duqu is designed purely for data theft and for providing remote access to a compromised system; Stuxnet was purpose-built for attacking industrial control systems. There's nothing in Duqu to suggest it was designed specifically to steal ICS data.
Stuxnet exploited four zero-day vulnerabilities, while Duqu exploits none, Ramsey said. Stuxnet also used peer-to-peer technologies and network shares to propagate while Duqu does not appear designed for self-propagation. Also, while Stuxnet came with a built-in capability for stealing information, Duqu only has add-on data exfiltration capabilities.
"Compared to Stuxnet, Duqu is not in the same ballpark," he said. "Five years ago, Duqu would have been pretty phenomenal. Today such kernel-level rootkits are common."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts