The Stuxnet worm was built on the same platform used from 2007 onwards to create a family of cyber-weapon-like malware including the recently-discovered Duqu worm, a forensic analysis by Kaspersky Lab researchers has concluded.
In a detailed analysis, Kaspersky’s Alexander Gotsev and Igor Soumenkov lay out the evidence for both pieces of malware having been created using a cybermalware kernel they call ’tilded’ (after the tendency of its programmers to use the ~d characters at the start of filenames).
The clues to the relationship between Stuxnet and Duqu look compelling and have in part been mentioned by the company before. Both share a common design, featuring an identical division of the programs into parts carrying out similar functions.
However, while analysing a newly discovered driver file from a Chinese PC which contained Duqu files, the researchers discovered that it appeared to be a modified version of a driver file used by Stuxnet. The modification used the same certificate and had the same signing date and time, leading to the conclusion that the two pieces of malware must share common origins.
Running through the company’s malware file database, the team found seven other drivers with similar characteristics, including three – rndismpc.sys, rtniczw.sys and jmidebs.sys – that still can’t be related to specific pieces of malware.
These files cannot interact with any known version of Stuxnet, leaving the researchers to conclude that they were either connected to an earlier version of Duqu or represent fragments from unidentified pieces of malware created by the same team.
“There were a number of projects involving programs based on the ’tilded’ platform throughout the period 2007-2011. Stuxnet and Duqu are two of them – there could have been others, which for now remain unknown,” writes Alexander Gotsev or Kaspersky Lab.
The team’s evidence is not conclusive but the circumstantial connections between Stuxnet and Duqu are now looking firmer, confounding sceptics who have suggested that the relationship is being overplayed as part of a fashion for geo-political software conspiracies.
In Kaspersky’s analysis, the programs were part of a common effort by a single team dating back at least four years. The evolution of the malware suggests that this development is ongoing and has affected its targets in ways not yet detected or made public.
What the analysis cannot answer is who was behind what is now widely considered to be most potent cybermalware ever discovered, namely Stuxnet and probably Duqu too. Stuxnet has even recently though less convincingly been connected to the Conficker worm of 2008.
Popular security opinion blames Israel aided by the US but that is speculation. Iran’s nuclear program was Stuxnet’s most obvious victim but Israel and the US are far from the only countries with an interest in seeing it hindered.
“The platform continues to develop, which can only mean one thing – we’re likely to see more modifications in the future,” the researchers conclude.