Security Experts:

India Seizes Servers Linked to Duqu as Experts Question its Relation to Stuxnet

In Mumbai, Indian authorities seized components from servers in a data center, after Symantec informed them that they were communicating with the command and control (C&C) infrastructure used by Duqu, the Trojan that is touted as the precursor to the next Stuxnet. However, experts are now saying that the connection between the two malicious programs is questionable.

Duqu Compared to StuxnetAccording to a report from Reuters, officials from the Department of Information Technology in India seized hard drives and other components from a server hosted in a Mumbai data center. 

Security vendors and government labs are working overtime to examine Duqu, which is feared to be the spawn of Stuxnet, the malware blamed for reactor issues at an Iranian nuclear facility. They are worried that malware such as Duqu and Stuxnet are the building blocks needed in order for attackers to target critical infrastructure. Based on the initial analysis of Duqu, many researchers warned that it was the second generation development of Stuxnet.

However, researchers at the Counter Threat Unit of Dell’s SecureWorks said that while there are some similarities, the odds are good that Duqu was not developed by the Stuxnet authors.

“Both Duqu and Stuxnet are highly complex programs with multiple components. All of the similarities from a software point of view are in the "injection" component implemented by the kernel driver. The ultimate payloads of Duqu and Stuxnet are significantly different and unrelated,” SecureWorks’ report noted.

In all, there are four points that the SecureWorks report points out.

Duqu and Stuxnet both use a kernel driver to decrypt and load encrypted DLL (Dynamic Load Library) files.

“The kernel drivers serve as an "injection" engine to load these DLLs into a specific process. This technique is not unique to either Duqu or Stuxnet and has been observed in other unrelated threats,” the report explains.

Encrypted DLL files are stored using the .PNF extension.

“This is normally the extension Microsoft Windows uses for precompiled setup information files. The commonality exists due to the kernel driver implementation being similar.”

The kernel drivers for both Stuxnet and Duqu use many similar techniques for encryption and stealth, such as a rootkit for hiding files.

“Again, these techniques are not unique to either Duqu or Stuxnet and have been observed in other unrelated threats,” the report adds.

Both Stuxnet and Duqu have variants where the kernel driver file is digitally signed using a software signing certificate.

“The commonality of a software signing certificate is insufficient evidence to conclude the samples are related because compromised signing certificates can be obtained from a number of sources. One would have to prove the sources are common to draw a definitive conclusion.”

In the end, the report concludes, “The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level.”

Watch the On Demand Webcast: "Duqu- Precursor to the Next Stuxnet," Presented by Symantec

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.