Evidence Mounts Duqu, Stuxnet Had Same Parents


The latest discoveries on the inner workings of Duqu, the suspected cousin of the infamous Stuxnet worm that damaged Iran's nuclear facility last year, adds to the mounting evidence that both malware were created by the same people.

The security lab at the Budapest University of Technology and Economics reported Tuesday that Duqu infected computers through a previously unknown flaw in the core of Microsoft Windows. The lab also recovered a Duqu installer that showed the Trojan was hidden in a Word document distributed in e-mail meant to trick the recipient into opening the file.

Duqu's exploit of a so-called "zero-day" vulnerability in Windows is the same tactic used to infect machines with Stuxnet. In addition, both malware were directed at a small number of organizations and had schedulers written in the code to embark on their mischief, such as replicating themselves in other computers, during specific time frames. "These, together with other previously known details reinforce the theory that Stuxnet and Duqu were created by the same people," Alex Gostev, chief malware analyst at Kaspersky Lab, said in the company's blog.

Additional evidence showed that the attackers meticulously gathered information from every infected computer within each organization and replicated itself deep within the local network, Gostev said. Kaspersky believes the creators developed a unique set of Duqu files for each victim. "There may well be a unique command server for each entity that was attacked," he said.

A command-and-control server for Duqu has been uncovered in India and in Belgium. Both have been taken down.

Microsoft was notified of the Windows vulnerability and said in a statement Wednesday that it would release a patch through its normal distribution process. "We are working diligently to address this issue," Jerry Bryant, group manager in Microsoft's Trustworthy Computing unit, said. A timetable was not released.

Security vendors have reported Duqu discoveries in 12 countries. The malware has not been reported in the U.S. The number of incidents reported in Iran and Sudan recently grew to four and three, respectively. "Our research shows that the incidents we detected involving Duqu in Sudan and Iran are actually bigger than initially thought," Gostev said.

Security experts have not released the names of the organizations struck by Duqu, other than saying they are suppliers of industrial factories.

Stuxnet, first discovered in June 2010, targeted Siemens industrial equipment running Windows. Nearly 60 percent of infected systems worldwide were in Iran, where the malware is believed to have damaged control systems in the country's nuclear facility. Duqu's purpose appears to be to gather information for possible future attacks. The malware lacks the destructive capabilities of its cousin.