Duqu, Stuxnet link unclear
Dell SecureWorks says there's little real proof that Duqu is related to Stuxnet
Computerworld - A report by Dell SecureWorks on Wednesday debunked the idea that the newly discovered Duqu Trojan is related to last year's Stuxnet worm or was created by the same authors.
According to SecureWorks, there are some similarities in code and function between Duqu and Stuxnet, but there's little conclusive proof the two are linked. "Supporting evidence is circumstantial at best and insufficient to confirm a direct relationship," SecureWorks said.
The Duqu Trojan was discovered earlier this month by a little-known Hungarian lab called the Laboratory of Cryptography and System Security. In a report last week, Symantec called the Trojan a precursor to the next Stuxnet and said that Duqu shared a lot of its source code with Stuxnet and was likely created by the same authors.
Unlike Stuxnet, Duqu is not directly targeted at industrial control systems, Symantec noted. Its main purpose is to let attackers steal data from manufacturers of industrial control systems that can then be used to craft attacks against entities using such systems.
But Jon Ramsey, CTO at Dell SecureWorks, said that any link between Duqu and Stuxnet appears tenuous at best.
Both Duqu and Stuxnet are sophisticated pieces of malware featuring multiple components. All of the supposed similarities between the two exist in just one of those components, Ramsey said.
Both Duqu and Stuxnet use a kernel driver to decrypt and load certain encrypted files on the infected computer. The kernel driver serves as an "injection engine" for loading the files into a specific process, according to SecureWorks. "The kernel drivers for both Stuxnet and Duqu use many similar techniques for encryption and stealth, such as a rootkit for hiding files," the security vendor said in its report.
But that doesn't mean the two are directly related, Ramsey said, noting that kernel-level rootkits have been used before and are not unique to Stuxnet or Duqu. Previously discovered malware threats such as BlackEnergy 2 and Rustock both used a similar kernel-level rootkit, Ramsey said.
The fact that Duqu's kernel driver was signed using a code signing certificate associated with Stuxnet has been held up as a sign that the two are related. But compromised signing certificates such as the one used by Duqu can be obtained from several sources, Ramsey said. Someone would have to prove that the source of both the Duqu and Stuxnet certificates was the same in order to draw a definite conclusion, he said.
Other than the similarities in the kernel drivers, Duqu and Stuxnet are quite different in almost all other aspects, Ramsey said.
Duqu is designed purely for data theft and for providing remote access to a compromised system; Stuxnet was purpose-built for attacking industrial control systems. There's nothing in Duqu to suggest it was designed specifically to steal ICS data.
Stuxnet exploited four zero-day vulnerabilities, while Duqu exploits none, Ramsey said. Stuxnet also used peer-to-peer technologies and network shares to propagate while Duqu does not appear designed for self-propagation. Also, while Stuxnet came with a built-in capability for stealing information, Duqu only has add-on data exfiltration capabilities.
"Compared to Stuxnet, Duqu is not in the same ballpark," he said. "Five years ago, Duqu would have been pretty phenomenal. Today such kernel-level rootkits are common."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!