Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

India Seizes Servers Linked to Duqu as Experts Question its Relation to Stuxnet

In Mumbai, Indian authorities seized components from servers in a data center, after Symantec informed them that they were communicating with the command and control (C&C) infrastructure used by Duqu, the Trojan that is touted as the precursor to the next Stuxnet. However, experts are now saying that the connection between the two malicious programs is questionable.

In Mumbai, Indian authorities seized components from servers in a data center, after Symantec informed them that they were communicating with the command and control (C&C) infrastructure used by Duqu, the Trojan that is touted as the precursor to the next Stuxnet. However, experts are now saying that the connection between the two malicious programs is questionable.

Duqu Compared to StuxnetAccording to a report from Reuters, officials from the Department of Information Technology in India seized hard drives and other components from a server hosted in a Mumbai data center. 

Security vendors and government labs are working overtime to examine Duqu, which is feared to be the spawn of Stuxnet, the malware blamed for reactor issues at an Iranian nuclear facility. They are worried that malware such as Duqu and Stuxnet are the building blocks needed in order for attackers to target critical infrastructure. Based on the initial analysis of Duqu, many researchers warned that it was the second generation development of Stuxnet.

However, researchers at the Counter Threat Unit of Dell’s SecureWorks said that while there are some similarities, the odds are good that Duqu was not developed by the Stuxnet authors.

“Both Duqu and Stuxnet are highly complex programs with multiple components. All of the similarities from a software point of view are in the “injection” component implemented by the kernel driver. The ultimate payloads of Duqu and Stuxnet are significantly different and unrelated,” SecureWorks’ report noted.

In all, there are four points that the SecureWorks report points out.

Duqu and Stuxnet both use a kernel driver to decrypt and load encrypted DLL (Dynamic Load Library) files.

“The kernel drivers serve as an “injection” engine to load these DLLs into a specific process. This technique is not unique to either Duqu or Stuxnet and has been observed in other unrelated threats,” the report explains.

Encrypted DLL files are stored using the .PNF extension.

“This is normally the extension Microsoft Windows uses for precompiled setup information files. The commonality exists due to the kernel driver implementation being similar.”

The kernel drivers for both Stuxnet and Duqu use many similar techniques for encryption and stealth, such as a rootkit for hiding files.

“Again, these techniques are not unique to either Duqu or Stuxnet and have been observed in other unrelated threats,” the report adds.

Both Stuxnet and Duqu have variants where the kernel driver file is digitally signed using a software signing certificate.

“The commonality of a software signing certificate is insufficient evidence to conclude the samples are related because compromised signing certificates can be obtained from a number of sources. One would have to prove the sources are common to draw a definitive conclusion.”

In the end, the report concludes, “The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level.”

Watch the On Demand Webcast: “Duqu- Precursor to the Next Stuxnet,” Presented by Symantec

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.