Experts: Stuxnet and Duqu are created by different hackers

According to SecureWorks, some similarity between Duqu and Stuxnet in the code and functions exists, but few convincing proofs of their interrelation among themselves. "In support there are only indirect proofs, at best, and they are insufficient for confirmation of direct link", - SecureWorks stated.

The Trojan of Duqu was detected this month by little-known Hungarian laboratory - Laboratory of Cryptography and System Security. Last week in the report Symantec called this virus the predecessor of the next version of Stuxnet and stated that Duqu and Stuxnet have much in common in the source code, and it is probable, are created by some authors.

Symantec also noted that unlike Stuxnet, actions of Duqu are not directed directly to management of the industrial systems. The main objective of a virus – to provide attacking a possibility of data theft at producers of industrial management systems which can be used afterwards for attack on the enterprises using these systems.

However the technical director of the company of Dell SecureWorks Jon Ramsey said that communication between Duqu and Stuxnet seems, at best, very thin. Both Duqu, and Stuxnet - difficult parts of harmful, multicomponent software. All similarity which is between these two viruses exists only in one of these components, Ramsey told.

Both Duqu, and Stuxnet use kernel driver for interpretation and loading of some ciphered files on the infected computer. According to the conclusion of SecureWorks, the kernel driver serves as the "throw mechanism" loading these files into a certain process. In the report the solution provider of security noted that for both viruses kernel drivers apply similar cryptography techniques and technologies of invisibility, such as rootkit (rootkit) to concealment of files.

Nevertheless, this fact does not mean that they are somehow connected, Ramsay noted, having emphasized that rootkits were applied also before at the kernel level, and it is not the unique solution for Stuxnet or Duqu. Earlier detected and the malware, like BlackEnergy 2 and Rustock use similar rootkits of the kernel level.

The fact that the kernel driver of Duqu was signed with the help of the certificate connected with Stuxnet was understoodly as the sign of the fact that these two viruses are connected among themselves. But the compromised certificate could be received from several sources, Ramsay considers. To draw a certain conclusion, someone should provide indisputable proofs that the certificate source for Duqu and Stuxnet was one, he told.

Noted Rams that except similarity in ​​ kernel drivers of Duqu and Stuxnet are very different almost in all other aspects.

Duqu is intended only for data theft and ensuring remote access to the compromised system. Stuxnet was created especially for attacks on industrial management systems.

Stuxnet used four vulnerabilities of zero-day while Duqu does not apply exploits, Ramsay told. Stuxnet uses peer-to-peer technologies and networks for independent distribution while Duqu of it is not able. Besides, Stuxnet is equipped with the built-in functionality of theft of information, Duqu only provides the accessibility from the outside.

The Russian representative office of ESET reported that specialists of the company recover an algorithm and a format of enciphering of the configuration files Duqu. At the same time the technique of determination of exact date of infection of a system is developed that is very important when conducting criminalistic examination in the cases connected with infections of computers on industrial enterprises. Besides, determination of time of infection of a system is necessary because of features of implementation of Duqu – the term of its stay in the system of the computer is limited.

According to the company, the most probable version of emergence of Duqu is collection of information and further coordinating of actions of the malware from the command center. At this Duqu can load and set additional functionality in the form of modules which implement the main objectives in the course of the attack.