Malware aimed at specific targets, with different modules for each target, reveals company
Computer security company Kaspersky Lab has revealed that there are significant differences between the Stuxnet worm and its newly discovered twin Duqu.
The spread across the Internet of several versions of the malicious program Duqu has caused alarm in the IT Security industry and governments alike. The concerns are partly due to some similarities between the new worm, which creates files with "DQ" in the prefix, and last year’s infamous Stuxnet worm that targets control systems built by German firm Siemens.
It is believed the Stuxnet virus was originally developed to disrupt Iran’s nuclear programme. Analysis by computer security experts has showed the worm exploited no fewer than four previously unknown vulnerabilities in Microsoft Windows to take over industrial control systems, making it more sophisticated than any virus seen before. Once inside a Windows systems, the self-replicating code looks for connections to Siemens industrial control systems exploiting more vulnerabilities in the Siemens’ own operating system to make clandestine adjustments to industrial processes.
Stuxnet targeted industrial control systems sold by Siemens that are widely used around the globe to manage everything from nuclear power generators and chemical factories to water distribution systems and pharmaceuticals plants.
The worm first came into light late last year after studies showed a likelihood of a "nation state" to be behind the worm meant to target Iran’s nuclear programme. In April, Iran claimed that Siemens helped the US and Israel to launch the computer worm Stuxnet against its nuclear facilities.
Homeland Security and Idaho National Laboratory analysts are trying to find out ways to fight the worm. But the origin of the worm is still unknown.
Earlier, Ralph Langner, one of the first researchers to show the working of the sophisticated malware, had revealed that he believes Mossad is involved, but the US is the leading source of the worm.
Last week, computer security company Symantec revealed that a research lab had discovered a new malicious code that "appeared to be very similar to Stuxnet."
Symantec had said, "The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility."
"Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose.
"Duqu is essentially the precursor to a future Stuxnet-like attack," Symantec had said.
Kaspersky Lab said the Duqu worm was first detected in early September 2011, after a user in Hungary uploaded one of the components of the malware to the Virustotal website, which analyses infected files with anti-virus programs of different manufacturers.
The company added, "However, this first-detected sample of turned out to be just one of several components that make up the whole of the worm. A little later, in a similar way, the Kaspersky Lab anti-malware experts received a sample of another module of the worm via Virustotal, and it was specifically its analysis that permitted finding a resemblance with Stuxnet."
The Moscow-based Kaspersky Lab believes that though there are some overall similarities between the two worms, Duqu and Stuxnet have some significant differences.
Kaspersky Lab experts started to track several variants of Duqu in real time infection attempts by the worm among users of the cloud-based Kaspersky Security Network. The company said it was surprise to find that during the first 24 hours only one system had been infected by the worm. Stuxnet, on the other hand, infected tens of thousands of systems all around the world; it is assumed that it had, however, a single ultimate target – industrial control systems used in Iran’s nuclear programs.
The ultimate target of Duqu is as yet unclear. What is alarming in this case however is that the ultimate objective of Duqu remains unknown, said Kaspersky Lab.
The security experts at Kaspersky Lab found that only infection with the worm among users of the Kaspersky Security Network was an infection with one of the several modules that presumably make up the Duqu worm.
The company said instances of infection by the second module, which is, in essence, a separate malicious program – a Trojan-Spy – have not yet been found. It is specifically this module of Duqu that possesses the malicious functionality – it gathers information about the infected machine and also tracks key strokes made on its keyboard, warned Kaspersky Lab .
Kaspersky Lab chief security expert Alexander Gostev said, "We’ve not found any instances of infections of computers of our clients with the Trojan-Spy module of Duqu. This means that Duqu may be aimed at a small quantity of specific targets, and different modules may be used to target each of them."
Kaspersky Lab said one of the yet-to-be-solved mysteries of Duqu is its initial method of penetration into a system: the installer or "dropper" needed for this has not yet been found.