Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Duqu, Stuxnet link unclear

Dell SecureWorks says there's little real proof that Duqu is related to Stuxnet

A report by Dell SecureWorks on Wednesday debunked the idea that the newly discovered Duqu Trojan is related to last year's Stuxnet worm or was created by the same authors.

According to SecureWorks, there are some similarities in code and function between Duqu and Stuxnet, but there's little conclusive proof the two are linked . "Supporting evidence is circumstantial at best and insufficient to confirm a direct relationship," SecureWorks said.

The Duqu Trojan was discovered earlier this month by a little-known Hungarian lab called the Laboratory of Cryptography and System Security. In a report last week, Symantec called the Trojan a precursor to the next Stuxnet and said that Duqu shared a lot of its source code with Stuxnet and was likely created by the same authors.

Unlike Stuxnet, Duqu is not directly targeted at industrial control systems, Symantec noted. Its main purpose is to let attackers steal data from manufacturers of industrial control systems that can then be used to craft attacks against entities using such systems.

But Jon Ramsey, CTO at Dell SecureWorks, said that any link between Duqu and Stuxnet appears tenuous at best.

Both Duqu and Stuxnet are sophisticated pieces of malware featuring multiple components. All of the supposed similarities between the two exist in just one of those components, Ramsey said.

Both Duqu and Stuxnet use a kernel driver to decrypt and load certain encrypted files on the infected computer. The kernel driver serves as an "injection engine" for loading the files into a specific process, according to SecureWorks. "The kernel drivers for both Stuxnet and Duqu use many similar techniques for encryption and stealth, such as a rootkit for hiding files," the security vendor said in its report.

But that doesn't mean the two are directly related, Ramsey said, noting that kernel-level rootkits have been used before and are not unique to Stuxnet or Duqu. Previously discovered malware threats such as BlackEnergy 2 and Rustock both used a similar kernel-level rootkit, Ramsey said.

The fact that Duqu's kernel driver was signed using a code signing certificate associated with Stuxnet has been held up as a sign that the two are related. But compromised signing certificates such as the one used by Duqu can be obtained from several sources, Ramsey said. Someone would have to prove that the source of both the Duqu and Stuxnet certificates was the same in order to draw a definite conclusion, he said.

Other than the similarities in the kernel drivers, Duqu and Stuxnet are quite different in almost all other aspects , Ramsey said.

Duqu is designed purely for data theft and for providing remote access to a compromised system; Stuxnet was purpose-built for attacking industrial control systems. There's nothing in Duqu to suggest it was designed specifically to steal ICS data.

Stuxnet exploited four zero-day vulnerabilities, while Duqu exploits none, Ramsey said. Stuxnet also used peer-to-peer technologies and network shares to propagate while Duqu does not appear designed for self-propagation. Also, while Stuxnet came with a built-in capability for stealing information, Duqu only has add-on data exfiltration capabilities.

"Compared to Stuxnet, Duqu is not in the same ballpark," he said. "Five years ago, Duqu would have been pretty phenomenal. Today such kernel-level rootkits are common."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about security in Computerworld's Security Topic Center.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Dell, Dell Computer, etwork, McAfee, SecureWorks, Symantec, Topic
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: applications, business continuity, dell, disaster recovery, Malware and Vulnerabilities, secureworks, security, software, symantec
Latest Blog Posts
Whitepapers
  • Control your Print Environment
    In your ongoing quest to maximize productivity and drive down costs, you might be surprised by the savings and greater competitive advantage you can achieve with a fully optimised and well-managed printing and imaging environment. In fact, studies have shown that managing your fleet holistically can save you upwards of 30% on your printing costs. And the savings increase exponentially when the scope of work includes automating your paper intensive workflows. Read more.
    Learn more »
  • Managing IBM License Complexity
    IBM provides thousands of products in its portfolio and uses a variety of license models, contract terms and conditions. These license models can be very complex, causing frequent confusion for organisations trying to grasp the concepts while maintaining license compliance. While at first IBM licensing may seem incomprehensible, some education on the license models and licensing scenarios will help minimise the confusion. In addition, a more automated approach to managing licenses enables organisations to gain control, reduce ongoing software costs and minimise license liability risks. Read on.
    Learn more »
  • A Technical Overview of the Oracle Exadata Database Machine and Exadata Storage Server
    Businesses today increasingly need to leverage a unified database platform to enable the deployment and consolidation of all applications onto one common infrastructure. Whether OLTP, DW or mixed workload a common infrastructure delivers the efficiencies and reusability the datacenter needs – and provides the reality of grid computing in-house. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments