The infamous Trojan software Duqu and Stuxnet were developed by only one group of malware developers, according to Internet security firm Kaspersky Lab.
Photo credit: securityaffairs.co
In fact, Kaspersky said the malware development team could already have developed other malwares using the same platform that was flexibly adaptable to specific targets.
Kaspersky released a report stating that Duqu and Stuxnet, as well as a number of malware discovered in 2011 were using a development platform called “Tilded,” citing the use of the tilde symbol (“~”) in many of these malware.
The Kaspersky team, led by its Chief Security Expert Alexander Gostev discovered the similarities between these malware during an extensive investigation in 2011 that aimed to identify the source of these Trojans.
Some of the similarities include a software driver within Duqu and Stuxnet that commanded how the malware would work when it infects a computer. Among the few key differences is the date of the signing of the digital certificate.
Gostev noted that the Tilded platform was created around 2007 or early 2008, after which it underwent more significant changes in late 2010. The significant changes in the Tilded platform were fueled, most likely, by the need for malware creators to make their malwares less detectable to antivirus applications.
“The drivers from the still unknown malicious programs cannot be attributed to activity of the Stuxnet and Duqu Trojans. The methods of dissemination of Stuxnet would have brought about a large number of infections with these drivers; and they can’t be attributed either to the more targeted Duqu Trojan due to the compilation date,” said Gostev.
“We consider that these drivers were used either in an earlier version of Duqu or for infection with completely different malicious programs. Moreover, these could have been same platform and, it is likely, a single creator-team,” Gostev added.
Meanwhile, other malware that are yet to be identified also had some similarities to either Duqu and Stuxnet, fueling speculation as to the source of these malware.
Duqu was discovered “in the wild” in late 2011 while Stuxnet was spreading since mid-2010. Their mode of attack is to infect very specific, industrial machines. Once it infects a machine, it captures specific information and commands and sends these to the one where the malware was deployed.
Administrators of these industrial devices that were infected often do not know of the presence of Duqu or Stuxnet unless they run a systems analysis of their information technology infrastructure.
It has been speculated that the purpose of Duqu, Stuxnet and their similar malware is for espionage as some of the infections were found in nuclear power plant facilities, especially in Iran.
“There were a number of projects involving programs based on the “Tilded” platform throughout the period 2007-2011. Stuxnet and Duqu are two of them – there could have been others, which for now remain unknown. The platform continues to develop, which can only mean one thing – we’re likely to see more modifications in the future,” warned Gostev.
Related Posts
- DBM makes big leap to cloud with Google apps
- Gov’t meets up with IT suppliers for LTO project
- Nokia names South African as GM for PH unit
- Energy dep’t unveils e-trike design tilt
- ‘Koobface’ malware gang unmasked
Article source: http://newsbytes.ph/2012/01/20/duqu-stuxnet-malware-developed-by-same-group/
View full post on National Cyber Security » Virus/Malware/Worms
