News

Tilded platform responsible for Stuxnet, Duqu evasiveness

Robert Westervelt

Researchers at Kaspersky Lab have released new analysis into the Duqu Trojan, tying it and the closely connected Stuxnet

Requires Free Membership to View

worm to a software platform designed to create exploits that avoid detection.

We believe Duqu and Stuxnet were simultaneous projects supported by the same team of developers.

Alexander Gostev and Igor Soumenkov, Kaspersky Lab researchers

Kaspersky Lab said the two pieces of malware share a common configuration file called Tilded. The Tilded platform was designed to provide encryption and other evasive techniques while the malware is injected into a system. Kaspersky said at least one other unrelated spyware module was created with Tilded and several other programs whose functionality is unclear. The research also questions the history of the Stuxnet codebase, finding that at least some of the code it used was created as early as 2007.

“We believe Duqu and Stuxnet were simultaneous projects supported by the same team of developers,” said Kaspersky Lab researchers Alexander Gostev and Igor Soumenkov in their analysis.

Tilded was so named because the developers used file names that started with a Tilde symbol followed by the letter “d.” The team of developers, who remain unknown, are likely behind other projects.

Tilded was created at the end of 2007, before undergoing significant changes in 2010. “Those changes were sparked by advances in code and the need to avoid detection by antivirus solutions,” according to the Kaspersky research. “There were a number of projects involving programs based on the “Tilded” platform throughout the period 2007-2011. Stuxnet and Duqu are two of them – there could have been others, which for now remain unknown.”

Researchers are continuing to focus their analysis on the Duqu Trojan, which emerged in October on the systems of several manufacturers of industrial control parts and suppliers. The installer used to infect systems used a Microsoft zero-day vulnerability. The malware shares some of the same codebases as Stuxnet, but rather than disrupting systems, it was designed to collect data. Symantec said it could be a precursor to a future Stuxnet-style attack.

Attacks using Duqu were believed to have been carried out as early as December 2010. The Trojan was designed to install itself and remain stealthy, installing spyware that records system information and copy files on all drives. Duqu was designed to operate for 36 days before it removed itself from an infected system.

Kaspersky Lab said enterprises need to understand that the Tilded platform is likely behind other exploits.  Other projects designed using the platform may not have been detected by security teams, Kaspersky said. 

“The platform continues to develop, which can only mean one thing – we’re likely to see more modifications in the future,” Kaspersky said.