Scary New Evidence Further Links Duqu, Stuxnet Malware
Cooling towers at Iran's Bushehr nuclear facility, one of several infected by Stuxnet.
CREDIT: Lawrence Livermore National Lab
Security experts have dug deeper into the Duqu Trojan and discovered a scary shared characteristic between the newly discovered piece of malware and last year's infamous Stuxnet worm, supporting the theory that the same authors are behind both.
The Hungarian security firm CrySyS, which discovered Duqu in October, found that it hides in a Microsoft Word document and contains something astonishing: a zero-day exploit of a vulnerability in the Windows kernel, the very heart of the operating system.
Zero-day exploits are the Holy Grail for hackers. Unknown flaws in software are few and far between, and when one is found, cybercriminals exploit it as much as possible during the brief precious window before the software maker patches it. The fact that Duqu contains one zero-day, and Stuxnet four, yet both programs steal nothing, indicates that their makers are both highly skilled, motivated by something other than money and willing to squander knowledge that could be worth millions to secure their objectives.
Chester Wisniewski, senior security adviser for the security firm Sophos, wrote that Windows zero-day flaws are uncommon in traditional malware. He noted that a recent Microsoft report found no zero-day exploits in any of the malware infections cleaned by the Malicious Software Removal Tool.
Stuxnet was designed to sabotage nuclear facilities in Iran, but also infected systems in India and Indonesia. Duqu infections have been confirmed in Iran as well as in Sudan, India, Vietnam, France, the Netherlands, Switzerland and Ukraine, the security firm Symantec reported.
Duqu shares much of its code with Stuxnet. Two major digital security firms are divided about Duqu's intentions; Symantec says it is designed to steal data from industrial control systems, such as those running power plants and oil refineries, while McAfee argues it's meant to steal authentication certificates that websites use to verify their identities.
Regarding the zero-day exploit that Duqu uses, Alex Gostev, chief malware analyst for the security firm Kaspersky Lab, wrote that his team "discovered a similar vulnerability a year ago when analyzing the Stuxnet worm."
Microsoft has released a statement saying that it is working on a patch to the newly discovered Windows kernel flaw.
Gostev wrote that Duqu's method of attack, via a targeted email with an attached Microsoft Word document, "proves our theory that the Duqu attacks are directed against a very small number of victims and in each case, they can employ unique sets of files."
"To infect other computers in the network," Gostev added, "Duqu seems to be using scheduled jobs, a technique that we've also seen in Stuxnet and is a preferred choice of APTs [advanced persistent threats]. These, together with other previously known details, reinforce the theory that Stuxnet and Duqu were created by the same people ."
Those "people" who created Stuxnet and possibly Duqu are unknown, but evidence hints at the involvement of the U.S. and Israel. Some experts in the security community believe the two nations developed Stuxnet as an alternative to a military strike on Iran's nuclear facilities.