News

New Duqu Trojan analysis questions Stuxnet connection

Robert Westervelt, News Director

Also read: New Duqu malware shares Stuxnet Trojan code similarities.

New analysis of the Duqu Trojan has concluded there

    Requires Free Membership to View

is not enough evidence to link it to Stuxnet, and calls early analysis that claimed Duqu was a new version of the worm pure speculation.

The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level.

Dell SecureWorks CTU

The Duqu Trojan report, issued by the Dell SecureWorks Counter Threat Unit, said Duqu raised eyebrows recently for containing code that shares striking similarities as the Stuxnet worm , but ultimately the new Trojan was designed for a completely different purpose.  The payloads of Duqu and Stuxnet are significantly different and unrelated, the Dell SecureWorks researchers said.

“One could speculate the injection components share a common source, but supporting evidence is circumstantial at best, and insufficient to confirm a direct relationship,” according to the report. “The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level.”

Initial Duqu Trojan analysis was issued by Symantec Corp. Oct. 18, which concluded the malware could be a precursor to a future Stuxnet-style attack. The Mountain View, Calif.-based vendor said parts of Win32.Duqu are nearly identical to Stuxnet, indicating it was created by someone who has access to the Stuxnet source code. Duqu was designed to enable attackers to install other malicious programs that can record keystrokes, gather system information, take screenshots and explore files.

Symantec has revised its early report, stating that Duqu was found in "industrial industry manufacturers" systems. The change was made after consulting with an industrial control system computer emergency response team (ICSCERT), said Liam O Murchu, manager of operations for Symantec Security Response.  The companies that had Duqu on their systems “were not necessarily the manufacturers of process control systems, but of a valve or pipe that would be used in an industrial control system facility,” Murchu said. “We’re trying to differentiate between actual companies dealing with PLCs and companies supplying parts in facilities that have PLCs.”

This wasn’t just similar but the exact same code was used and that shows us that the two threats were created from the same code base.

Liam O Murchu, manager of operations, Symantec Security Response. 

Murchu said Symantec conducted a thorough analysis of the Duqu code and stands by its initial report that it was created from the same Stuxnet source code. Symantec researchers conducted binary comparison of the code in the Duqu loader as well as the code in several other components, he said.

“We don’t have 100% evidence that shows Duqu is made by the same creators that wrote Stuxnet, but we do know that the threats were created from the same source code,”  Murchu said. “This wasn’t just similar but the exact same code was used and that shows us that the two threats were created from the same code base.”

Similarities to Stuxnet
Duqu and Stuxnet use a similar kernel driver to decrypt and load encrypted dynamic load library (DLL) files, enabling the Trojan to inject itself into system processes. Other components that encrypt Duqu and make it stealthy are also used in Stuxnet, but, according to the Dell-SecureWorks researchers, they have been used in other unrelated malware.

Where Stuxnet and Duqu share striking similarities is in the software signing certificate used to digitally sign the kernel driver file. The digital certificate is used to enable the malware to masquerade as a harmless kernel driver for the infected system. Both Stuxnet and Duqu appear as a driver from the JMicron Technology Company.

“The commonality of a software signing certificate is insufficient evidence to conclude the samples are related because compromised signing certificates can be obtained from a number of sources. One would have to prove the sources are common to draw a definitive conclusion,” according to the report.

Symantec initially said the Trojan was detected on the systems of European industrial control manufacturers. But the Dell SecureWorks analysis found no specific code that seeks out supervisory control and data acquisition (SCADA) components. The primary purpose of Duqu is to provide an attacker with remote access to a compromised computer to upload additional malware that could steal sensitive data.

Duqu defenses
Security researchers are still trying to track down the Duqu installers, which would provide clues as to how machines are initially infected by the Trojan.

The Dell SecureWorks team said most antivirus and antimalware technologies can now detect Duqu infections. Risk averse organizations can take additional steps, such as monitoring non-SSL traffic for communication to Duqu-related domains.

Also read: New Duqu malware shares Stuxnet Trojan code similarities.