Dell SecureWorks: Duqu and Stuxnet – the work of various authors

November 2nd, 2011 | Posted by synt4x in Security
Free Business and Tech Magazines and eBooks

flattr this!

The similarity of the recently released Duqu and famous worm Stuxnet, caused universal alarm for over a year ago, is greatly exaggerated. Such conclusion was the company Dell SecureWorks.

The key point of analysis was that, despite the similarities, Duqu and Stuxnet were created to perform different tasks. One had very specific goals, other – more common.

Both samples have rutkitopodobnye elements, including how to implement kernel level drivers and downloads an encrypted DLL files. Amazingly, both of malware using the certificate of the driver of the same Taiwanese company, JMicron, for one of its core files.

“Overall the signing certificate is not proof of kinship patterns, for signing certificates can be obtained from various sources” – said the researchers. ”To make a definitive conclusion in favor of kinship malware, you first need to prove that the certificates are obtained from the same sources.”

Stuxnet was designed to attack specific software systems, such as those used for industrial control. And actions Duqu more like an ordinary action in conjunction with a Trojan keylogger, although very advanced.

Unlike Stuxnet, Duqu not use zero-day vulnerabilities and can not reproduce (because of what Stuxnet and became popular just as a worm). Most importantly, Duqu, in terms of Dell SecureWorks, chooses not aim a specific sector, which significantly reduces the likelihood that it was conceived as a low-level targeted malware, and does not give a reason to call it advanced a constant threat.

“You can speculate on a single source in the component injection. But this evidence is at best indirect, and are not able to confirm a direct connection.”

In short, the similarities – it’s probably just a coincidence. And they are an indication that malware are similar to each other for the sake of more efficient methods of attack.

The grounds for suspicion Duqu is the fact that its methods of infection still remain a mystery. It’s very strange for mass malware, which often uses e-mail, and drive-by attacks on websites. Researchers have yet to find a setup program that will help to learn more about the origin of Duqu. Duqu deleted after 36 days of installation, which is also very unusual.

Symantec last week published an analysis stating that the two share a common malicious program source code, which indicates that their creators, at least, have access to the same code base. The company also claims that Duqu attacked the company of the same territory as the Stuxnet, however, data that could prove very scarce.

Recommended Reading

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to redditShare on MyspaceShare via emailShare

, , , , ,

You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>