Posted on 01/26/2012 6:57:32 PM PST by Libloather
Duqu, Stuxnet malware developed by same group
Posted on 20 Jan 2012 at 2:29pm
The infamous Trojan software Duqu and Stuxnet were developed by only one group of malware developers, according to Internet security firm Kaspersky Lab.
In fact, Kaspersky said the malware development team could already have developed other malwares using the same platform that was flexibly adaptable to specific targets.
Kaspersky released a report stating that Duqu and Stuxnet, as well as a number of malware discovered in 2011 were using a development platform called “Tilded,” citing the use of the tilde symbol (“~”) in many of these malware.
The Kaspersky team, led by its Chief Security Expert Alexander Gostev discovered the similarities between these malware during an extensive investigation in 2011 that aimed to identify the source of these Trojans.
Some of the similarities include a software driver within Duqu and Stuxnet that commanded how the malware would work when it infects a computer. Among the few key differences is the date of the signing of the digital certificate.
Gostev noted that the Tilded platform was created around 2007 or early 2008, after which it underwent more significant changes in late 2010. The significant changes in the Tilded platform were fueled, most likely, by the need for malware creators to make their malwares less detectable to antivirus applications.
“The drivers from the still unknown malicious programs cannot be attributed to activity of the Stuxnet and Duqu Trojans. The methods of dissemination of Stuxnet would have brought about a large number of infections with these drivers; and they can’t be attributed either to the more targeted Duqu Trojan due to the compilation date,” said Gostev.
“We consider that these drivers were used either in an earlier version of Duqu or for infection with completely different malicious programs. Moreover, these could have been same platform and, it is likely, a single creator-team,” Gostev added.
Meanwhile, other malware that are yet to be identified also had some similarities to either Duqu and Stuxnet, fueling speculation as to the source of these malware.
Duqu was discovered “in the wild” in late 2011 while Stuxnet was spreading since mid-2010. Their mode of attack is to infect very specific, industrial machines. Once it infects a machine, it captures specific information and commands and sends these to the one where the malware was deployed.
Administrators of these industrial devices that were infected often do not know of the presence of Duqu or Stuxnet unless they run a systems analysis of their information technology infrastructure.
It has been speculated that the purpose of Duqu, Stuxnet and their similar malware is for espionage as some of the infections were found in nuclear power plant facilities, especially in Iran.
“There were a number of projects involving programs based on the “Tilded” platform throughout the period 2007-2011. Stuxnet and Duqu are two of them – there could have been others, which for now remain unknown. The platform continues to develop, which can only mean one thing – we’re likely to see more modifications in the future,” warned Gostev.
I spent a little time close to political power, nothing to really brag about; but, I learned then there is a huge difference between the true story and public reports and knowledge.
I suspect Stuxnet will only truly be revealed many years hence, if then.
There is an american firm that’s released a fair amount of basic facts about its structure along with some guesses on analysis from these facts. Not a whole lot, but IMHO, the closest to what’s really known outside of government thus far.
My point being that stuff gets written everywhere, there is no single origin point, and even if we think we know the provenance of any bit of code, odds are good chunks of it were outsourced to people in nations hostile to anywhere with freedom and liberty.
And today, I have to include anywhere under the thumb of the US federal government on that list. *sigh*
:’) At least your old German professor is dead now.
Kaspersky has quite a good reputation. Good detection rate, good protection, aggressive if that’s your preferred way.
Not mine these days, but if I wanted active protection rather than passive, they’d be top on the list, unquestionably.
If you’d like to be on or off, please FR mail me.
..................
I’m not being very clear.
I respect kaspersky as software engineers, viruses, etc.
But Stuxnet involves international politics: Israel, Russia, iran, US, Pakistan, etc., etc.
Who is doing what and who thinks who can do what or thinks who is doing what... all has diplomatic and military impact.
I don’t know what influence the Russian government has on Kaspersky’s research and reporting on this matter; it would not be absurd to think the government has considerable interest and therefore a lot to do with what is reported.
I don’t know, but that’s why i said I’d be more comfortable with this report if it didn’t come from a Russian firm, where, i believe the government has a heavier hand in industry.
My point, a bit rhetorical, was that three main OSs have their roots at DEC, which ran with Bell Unix, iirc, though when the hardcore geeks pile on you’ll know how hazy i am on the details. Notwithstanding that, there is a tangible connection, made more tangible by business’s propensity for cutting-and-pasting useful routines.
He and his team were probably paid in pizza and beer and leftenant wages in the IDF “signal core.”
Undoubtedly, however, there is a great job at graduation.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.