Same Toolkit Spawned Stuxnet, Duqu, And Other Campaigns

New Kaspersky Lab research nails down platform used for the targeted attacks, but not all researchers are sold that the exploits are all interrelated

Theres one thing most Stuxnet researchers now agree on: Stuxnet and Duqu came from the same code base. And now new research backs up that theory as well as reveals that at least three additional and unrelated exploits were written from the same platform, which has been christened Tilded by researchers at Kaspersky Lab.
Kaspersky researchers say at least three other projects besides Duqu and Stuxnet were created with Tilded -- named for the developers penchant for using file names that start with a tilde symbol and the letter d -- including a spyware module that dates back to 2007 and 2008. But still no real evidence points to the actors behind Stuxnet, Duqu, or the other attacks using the Tilded, the researchers say.
Meanwhile, other likely exploits have yet to be discovered from the same platform, researchers say.
We dont know who the attackers are, but what we can say from all the evidence is that they are quite well-organized ... were talking about professional software developers working in four or five different teams and each team taking care of one of the modules, says Costin Raiu, director of the global research and analysis team at Kaspersky Lab. And their focus appears to entail sabotage of some type, he says, with the support of a nation-state and with the goal of cyberespionage.
But neither Kaspersky nor Symantec, which have led much of the research into Stuxnet and Duqu, can confirm in their research the million-dollar question of just who is behind the two attack campaigns, despite heavy speculation that its the handiwork of the U.S. and Israel attempting to derail Irans nuclear enrichment program.
Security expert Tom Parker says while Duqu and Stuxnet could be related, that doesnt mean they are necessarily the same operation. The missions of Stuxnet and Duqu were different: One was reconnaissance [Duqu], and the other was a proactive agent [Stuxnet], says Parker, chief technology officer at FusionX. I dont think there is any information technology analysis of the similarities in the code to suggest that [they are from the same operation].
And Don Jackson, senior security researcher at Dell Secureworks, says while
Kasperskys new research
basically reinforces his theory that Stuxnet and Duqu were written with the same kit, it doesnt prove they were written by the same authors. He argues that code-sharing is not as effective in attribution in malware nowadays due to the wide availability of crimeware kits. You need to focus more on the operational parameters, he says. What was in common with the two is that they were generated by the same kit. Now we have a name for that kit, Jackson says.
That doesnt necessarily mean they go together, however, he says. Jackson contends that Duqu was not used for reconnaissance for Stuxnet, a conclusion that Kaspersky has drawn and Symantec has suggested. I dont believe Duqu was used as reconnaissance for Stuxnet. In fact, based on our understanding of all the findings to date, its contraindicated, he says.
For one thing, Duqu appears to be younger than Stuxnet, according to Jackson. If the development of the Tilded kit follows the general evolutionary pattern of development of software in general, and of practically all similar malware kits more specifically, then Duqu is younger than Stuxnet based on the common code. This is supported by analysis of incident time lines and other artifacts, such as compiler and code-signing time stamps, etc., he says.
Liam O Murchu, manager of operations for Symantec Security Response, says while Stuxnet and Duqu use the same code base, the real link is the loader file that Kaspersky studied: Its one file on the disk of an infected machine that is not encrypted. And while Murchu cant reveal details about Duqu victims, he says Duqu was targeting similar types of companies, possibly for a future Stuxnet attack. I can say that all the companies Duqu [hit] had something useful to the business of Stuxnet, Murchu says.
And its likely the attackers behind Duqu and Stuxnet are still operating under different attack campaigns. They are likely still operating and reconfiguring and recompiling it to avoid security products or researchers, he says. There could be attacks going on right now that we are not aware of.
[Lessons learned from the Stuxnet-Duqu link. See
Four Takeaways From The Stuxnet-Duqu Connection
.]
Meanwhile, there are several missing pieces to the Stuxnet and Duqu puzzle. First, theres Stars, a cyberattack the Iranian government claims hit its nuclear facility in April. Researchers at first dismissed the news as either a hoax or common malware, according to Kasperskys Raiu, but later discovered that Duqu contains a photo showing the collision of two galaxies, indicating a possible connection with Stars.
We think that many targets in Iran were specific versions of Duqu, and that may be one of the missing pieces of the puzzle, he says.
Another question is that one of the components for the Duqu command-and-control (C&C) servers was written in a programming language that the researchers had never seen before. It was a very curious procedural language .. we dont know why they chose to write it in a different language, and we dont know what this language is, Raiu says. Solving this [may] help us understand who created the communication module, or if different groups dont know about one another, for example, he says.
Still a mystery, too, is how the Duqu attackers hacked the systems they used as C&C servers. All of the computers belong to people and organizations unrelated to Duqu and had been hacked, he says. We need a good explanation of how they accessed them.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Same Toolkit Spawned Stuxnet, Duqu, And Other Campaigns