Duqu Not After Same Target As Stuxnet, Researchers Say

  /     /     /  
Publicated : 22/11/2024   Category : security


Duqu Not After Same Target As Stuxnet, Researchers Say


New Kaspersky Lab analysis finds two distinct pieces of malware



Just what the attackers behind the newly discovered Stuxnet-like Duqu backdoor malware are after remains unclear, but researchers at Kaspersky Lab say it isnt likely after Iranian nuclear facilities as Stuxnet had been.
Unlike Stuxnet, the amount of infections is rather confined with Duqu. So the fact that we see Duqu in a few different countries basically rules out that it has the same target as Stuxnet, says Roel Schouwenberg, senior researcher at Kaspersky Lab. Stuxnet clearly had one very specific target.
The malware,
which originally was found in some unnamed European organizations and then analyzed by Symantec and McAfee
, appears to be attacking industrial control-system vendors and certificate authorities (CAs), with multiple variants in circulation.
And according to Kaspersky Labs analysis, the Duqu infections are made up of at least two malware programs, a main module and a keylogger. Its the main module that so closely resembles Stuxnet, not the keylogger, according to Kaspersky.
The module is very similar to Stuxnet -- both in structure and in behavior. However, the name Duqu has almost no connection with it. This name is based on the names of the files that are related to a completely different malicious spy-program! blogged Alex Gostev, Kaspersky Labs chief malware expert today.
The main module comprises three elements: a driver that places a DLL into system processes, the DLL that works with the command-and-control, and a configuration file, according to Kaspersky.
The separate keylogger is like a downloaded stand-alone plug-in for the main module -- we currently assume its downloaded by the main module, Schouwenberg says. Its strange to name the entire threat after a plug-in, [Duqu]. The keylogger produces the ~DQ file.
Kaspersky hasnt seen the earmarks of the original Stuxnet attack, such as a clear target against PLCs, self-replication, or zero-days, he says. So it was very easy for people to get confused. The likeness is in the internal structures.
But Kaspersky agrees with analysis by Symantec and McAfee that the latest threat could be the handiwork of the original Stuxnet attackers, or at least someone with access to the Stuxnet source code. Schouwenberg says theres no way to know for sure whether the creators of this new malware are the same ones who wrote Stuxnet, but its likely. It would be a huge amount of work to get to this level of similarity by reverse-engineering, he says.
Still unknown, too, is the first phase of the attack that placed Duqu onto the infected machines. We -- like everyone else -- are looking to find the initial installer, he says. It might be that the installer used a zero-day exploit, or some self-replication function, he says.
And if it is the same authors as Stuxnet, there are hints that they might have learned a few lessons on how to better remain under the radar this time.
Perhaps the fact that we havent found it -- yet -- means the creators have learned. However, as this operation may still be ongoing, any extra day we dont have the installer means an easier time for the bad guys, Schouwenberg says.
Another example of an improvement over Stuxnet is the digital certificate used in the new attack, he says. One of the drivers was signed using a stolen digital certificate from C-Media. The signing process was where the Stuxnet authors had been a bit sloppy. With Duqu, they didnt repeat that mistake. Its signed in an untraceable way, Schouwenberg says. That could indicate that if its the same attackers that were behind Stuxnet, they have learned from their mistakes, he says.
Kasperskys analysis of Duqu is
here
.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Duqu Not After Same Target As Stuxnet, Researchers Say