Computer security experts unfolding the mystery behind Stuxnet’s twin’s origin and target
After revealing that the Duqu and the Stuxnet worms are different is many aspects, experts at computer security firm Kaspersky Lab have found new instances of Duqu and tracked down a user in Sudan and three others in Iran using the cloud-based Kaspersky Security Network.
Kaspersky Lab is investigating the new malicious program Duqu, which shares some characteristics with the infamous Stuxnet worm that targeted industrial installations in Iran. The spread across the Internet of several versions of the malicious program Duqu has caused alarm in the IT Security industry and governments alike. The concerns are partly due to some similarities between the new worm, which creates files with "DQ" in the prefix, and last year’s infamous Stuxnet worm that targets control systems built by German firm Siemens.
Security experts at Kaspersky Lab found that Duqu is a universal tool being used for carrying out targeted attacks on a limited number of objects, and one that can be modified depending on the given task.
The company said that several characteristics of the worm were revealed in the first stage of analysis of Duqu by Kaspersky Lab specialists. First, in each discovered modification of the malicious program the drivers used to infect systems had been changed. In one instance the driver used a fake digital signature, in others – the driver wasn’t signed at all. Second, it became obvious that other elements of Duqu were likely to exist, but had yet to be found. Together, these findings allowed one to assume that the workings of this malicious program could be changed depending on the particular target being attacked, said Kaspersky Lab.
The comapny also said that since discovering the first samples of the malicious program, four new instances of infection have been detected. One of these was tracked down to a user in Sudan; the other three were located in Iran. In each of the four instances of Duqu infection a unique modification of the driver necessary for infection was used.
The company added that more importantly, regarding one of the Iranian infections there were also found to have been two network attack attempts exploiting the MS08-067 vulnerability. This vulnerability was used by Stuxnet too, and also another, older, malicious program, Kido. The first of the two network attack attempts took place on October 4, the other on October 16, and both originated from one and the same IP address – formally belonging to a US Internet provider. If there had been just one such attempt, it could have been written off as typical Kido activity – but there were two consecutive attack attempts: this detail would suggest a targeted attack on an object in Iran. It is also possible that in its operation other vulnerabilities of software were exploited.
Kaspersky Lab chief security expert Alexander Gostev said despite the fact that the location of the systems attacked by Duqu are located in Iran, to date there is no evidence of their being industrial or nuclear program-related systems.
"As such, it is impossible to confirm that the target of the new malicious program is the same as that of Stuxnet. Nevertheless, it is clear that every infection by Duqu is unique. This information allows one to say with certainty that Duqu is being used for targeted attacks on pre-determined objects," added Gostev.