Stuxnet and Duqu created on same platform, say researchers

Stuxnet and Duqu have made quite an impact on the security community when they were discovered, and are still considered to be two of the most sophisticated pieces of malware known to the greater public.

Security researchers are still analyzing samples and are trying to figure out whether they have might have been developed by the same individual or group of people, and according to Kapersky Lab researchers Alexander Gostev and Igor Soumenkov, they have.

“In terms of architecture, the platform used to create Duqu and Stuxnet is the same,” they say. “This platform can be conventionally named as ‘Tilded’ as its authors are, for some reason, inclined to use file names which start with ‘~d’.”

They believe that the platform itself dates back to 2007-2008, that it was significantly changed in 2010 to keep up with the development of antivirus techniques, and that further modifications are sure to be undertaken in time. They also believe that Stuxnet and Duqu are not the only malware that was developed during the last four years on that platform.

By analyzing the various driver files used by both pieces of malware and some that were obviously compiled and used earlier but can conclusively be either to either of them, they came to the conclusion that it’s highly likely that the same team of developers were behind all of them, and that Stuxnet and Duqu have been developed simultaneously.

“A few times a year the authors compile a new version of a driver file, creating a reference file. The primary purpose of this file is to load and execute a main module, which is created separately. It could be Stuxnet, or Duqu or something else,” they explain. “When it is necessary to use a driver for a new module, the authors use a dedicated program to modify information in the driver’s ‘reference’ file, i.e. its name and service information as well as the registry key and its value. It’s important to note that they tweak ready-made files and don’t create a new one from scratch. This means they can make as many different driver files as they like, each having exactly the same functionality and creation date.”