Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

India Seizes Servers Linked to Duqu as Experts Question its Relation to Stuxnet

In Mumbai, Indian authorities seized components from servers in a data center, after Symantec informed them that they were communicating with the command and control (C&C) infrastructure used by Duqu, the Trojan that is touted as the precursor to the next Stuxnet. However, experts are now saying that the connection between the two malicious programs is questionable.

In Mumbai, Indian authorities seized components from servers in a data center, after Symantec informed them that they were communicating with the command and control (C&C) infrastructure used by Duqu, the Trojan that is touted as the precursor to the next Stuxnet. However, experts are now saying that the connection between the two malicious programs is questionable.

Duqu Compared to StuxnetAccording to a report from Reuters, officials from the Department of Information Technology in India seized hard drives and other components from a server hosted in a Mumbai data center. 

Security vendors and government labs are working overtime to examine Duqu, which is feared to be the spawn of Stuxnet, the malware blamed for reactor issues at an Iranian nuclear facility. They are worried that malware such as Duqu and Stuxnet are the building blocks needed in order for attackers to target critical infrastructure. Based on the initial analysis of Duqu, many researchers warned that it was the second generation development of Stuxnet.

However, researchers at the Counter Threat Unit of Dell’s SecureWorks said that while there are some similarities, the odds are good that Duqu was not developed by the Stuxnet authors.

“Both Duqu and Stuxnet are highly complex programs with multiple components. All of the similarities from a software point of view are in the “injection” component implemented by the kernel driver. The ultimate payloads of Duqu and Stuxnet are significantly different and unrelated,” SecureWorks’ report noted.

In all, there are four points that the SecureWorks report points out.

Duqu and Stuxnet both use a kernel driver to decrypt and load encrypted DLL (Dynamic Load Library) files.

“The kernel drivers serve as an “injection” engine to load these DLLs into a specific process. This technique is not unique to either Duqu or Stuxnet and has been observed in other unrelated threats,” the report explains.

Encrypted DLL files are stored using the .PNF extension.

Advertisement. Scroll to continue reading.

“This is normally the extension Microsoft Windows uses for precompiled setup information files. The commonality exists due to the kernel driver implementation being similar.”

The kernel drivers for both Stuxnet and Duqu use many similar techniques for encryption and stealth, such as a rootkit for hiding files.

“Again, these techniques are not unique to either Duqu or Stuxnet and have been observed in other unrelated threats,” the report adds.

Both Stuxnet and Duqu have variants where the kernel driver file is digitally signed using a software signing certificate.

“The commonality of a software signing certificate is insufficient evidence to conclude the samples are related because compromised signing certificates can be obtained from a number of sources. One would have to prove the sources are common to draw a definitive conclusion.”

In the end, the report concludes, “The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level.”

Watch the On Demand Webcast: “Duqu- Precursor to the Next Stuxnet,” Presented by Symantec

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.