The software platform used to create both the Stuxnet and Duqu computer worms has been around since the end of 2007 and is the foundation of an unknown number of malware packages that may have been built by a dedicated team of malware developers, researchers at Kaspersky Lab reported this week.
"We believe Duqu and Stuxnet were simultaneous projects supported by the same team of developers," Kaspersky Lab researchers Alexander Gostev and Igor Soumenkov stated in a report on the subject posted Wednesday.
Stuxnet is a powerful computer worm that spreads through Microsoft Windows but specifically targets Siemens supervisory control and data acquisition (SCADA) systems like those used to control the Iranian nuclear facility infrastructure plagued by the malware in 2010. Duqu, discovered in September, is thought by many security researchers to be virtually identical in origin and makeup to Stuxnet, though it appears to be tweaked to steal information from industrial control systems rather than damage them like its cousin.
"In terms of architecture, the platform used to create Duqu and Stuxnet is the same," Gostev and Soumenkov write. "This is a driver file which loads a main module designed as an encrypted library. At the same time, there is a separate configuration file for the whole malicious complex and an encrypted block in the system registry that defines the location of the module being loaded and name of the process for injection."
Gostev and Soumenkov have dubbed the code kernel they believe is underneath both computer worms the "Tilded" platform, in reference to its authors habit of using file names starting with "~d". In its first iteration, the Tilded platform was used to create at least one spyware module in 2007 or 2008, and "several other programs whose functionality was unclear" between 2008 and 2010, they said.
The researchers believe the platform underwent "its most significant change" in the summer or fall of 2010. That produced Stuxnet, which now has four driver file variants that have been identified, and Duqu.
They also think the Stuxnet/Duqu story has yet to be fully told. Kaspersky Lab has recently come across previously unknown driver files they think may have been part of early Tilded platform-based spyware modules that don't appear to be associated with Stuxnet but which may have been predecessors to Duqu.
Gostev and Soumenkov think that what they are probably seeing is various stages of the "evolution" of the driver files used to "load and execute a main module" like Duqu or Stuxnet. The authors of those driver files wouldn't write new ones from scratch, the researchers said, but instead would "tweak ready-made files."
Commonalities between versions of the driver files for Tilded platform-based worms suggest not just a common ancestry for Stuxnet and Duqu, but common authorship of the programs by a team working together, according to the Kaspersky Lab researchers.
No hay comentarios:
Publicar un comentario