Kaspersky Experts Dig Other Malware Belonging to Stuxnet, Duqu Family

Jay Decenella, IT audit expert
January 04, 2012 /

A team of hackers has been confirmed to be behind the malware programs that belong to the family of Stuxnet and Duqu Trojans, according to experts from Kaspersky Lab who assume that ” a single platform was used, which is flexibly adaptable to specific targets.”

Kaspersky said this platform appeared to have been in existence and active usage long before the Stuxnet emerged, based on detailed analysis of the drivers used for infecting systems with Duqu and Stuxnet.

The platform, called “Tilded” (after the tilde symbol used by creators to name the files), was used to create Stuxnet and Duqu, and also other malicious programs, according to Kaspersky experts.

Analysis of one of the incidents related to Duqu in August 2011 revealed a driver that was similar to the one used by one of the versions of Stuxnet, establishing the connection between the two trojans thereafter.

Nonetheless, there were marked differences in the details of Duqu and Stuxnet, such as the date of signing of the digital certificate.

Kaspersky did not find other files which it was possible to attribute to the activity of Stuxnet, but there were tracks of Duqu activity.

Kaspersky also revealed one more driver with similar characteristics as the one associated with Duqu and Stuxnet through the processing of the information and the further search in the database of malicious programs of Kaspersky.

It was discovered more than a year ago, but the file was compiled in January 2008, a year before the creation of the drivers used by Stuxnet.

Kaspersky Lab experts found seven types of drivers over-all with similar characteristics. The firm noted that for three of them there is as yet no information about specifically which malicious program they were used with.

Alexander Gostev, Chief Security Expert at Kaspersky Lab, said: “The drivers from the still unknown malicious programs cannot be attributed to activity of the Stuxnet and Duqu Trojans. The methods of dissemination of Stuxnet would have brought about a large number of infections with these drivers; and they can’t be attributed either to the more targeted Duqu Trojan due to the compilation date.

“We consider that these drivers were used either in an earlier version of Duqu, or for infection with completely different malicious programs, which moreover have the same platform and, it is likely, a single creator-team”.

According to Kaspersky Lab’s experts’ version, the cybercriminals behind Duqu and Stuxnet create a new version of the driver many times in a year, which is used for loading the main module of the malicious program.

Before launching an attack, creators change several parameters of the driver like the registry key using special program. The same file could also come with a legal digital certificate, or none at all.

Kaspersky concluded: “Thus, Duqu and Stuxnet are separate projects, which were created on the basis of a single platform – Tilded – which was developed around the end of 2007 and the beginning of 2008.

“It is most likely that this project was not the only one, but the aims and tasks of the different variants of the Trojan program are as yet unknown. It cannot be ruled out that this platform continues to develop; moreover, the discovery of Duqu by security experts will mean further changes are being or will be made to the platform.”

 

Share your opinion