Research
Stuxnet and Duqu Part of Assembly Line
By HSNW 18 January, 2012
Jan 22, 2012 - 10:08:54 AM

Stuxnet, the highly sophisticated piece of malicious code that was the first to cause physical damage, could just be the tip of the iceberg in a massive cyberweapon manufacturing operation; according to cybersecurity researchers at Kaspersky Labs and Symantec, Stuxnet appears to be part of a larger cybersecurity weapons program with fully operational and easily modified malicious code that can be aimed at different targets with minimal costs or effort

Stuxnet, the highly sophisticated piece of malicious code that was the first to cause physical damage, could just be the tip of the iceberg in a massive cyberweapon manufacturing operation. According to cybersecurity researchers at Kaspersky Labs and Symantec, Stuxnet appears to be part of a larger cybersecurity weapons program with fully operational and easily modified malicious code that can be aimed at different targets with minimal costs or effort.

Since Stuxnet’s discovery, the two companies have been hard at work deciphering the code and both found common digital traces for at least seven “launcher” files made from the same software platform. A launcher file is used to secretly insert malicious code onto a computer along with any additional code needed to make the payload function.

So far the seven discovered launcher files contain portions of identical source code, with minor, but critical, differences. Two of the files are known to be used by Stuxnet and two others are used by Duqu, a recently discovered intelligence gathering program thought to be a precursor to Stuxnet. The remaining three launchers could be associated with unknown versions of Stuxnet and Duqu, or undiscovered cyberweapons currently in operation.

Costin Raiu, the director of the global research and analysis team at Kaspersky Labs, explained, “Stuxnet’s creators used a [software] platform to package and deliver it, because they wanted to be able to make many cyberweapons easily and be able to change them rapidly for targeting and attack.”

Raiu added, “Let’s imagine you want to steal documents. You don’t need the sort of sabotage capability built into Stuxnet, so you take that off. Instead, you use the same platform to create targeted malware, but perhaps focusing on espionage instead. That’s Duqu.”

Liam O Murchu, Symantec Security Response’s manager of operations, said Symantec’s research corroborates Kaspersky’s findings.

“We’ve done the same analysis Kaspersky has, and seen the same timelines, dates, encryption keys,” O Murchu said. “We think Stuxnet and Duqu are made by the same team, with the same goal…. They can change [the software weapon produced on the common platform], manipulate it, have different payloads.”

Using a common platform, the code’s creators can quickly and conveniently reuse software that was expensive to develop. The common platform is similar to a factory production process for building exotic cars where there are many common parts like a frame or an engine, but certain portions must be custom built. This system allows for the quick assembly of existing code to create fully-developed cyberweapons that can be modified to target new industrial control systems or evade detection.

The latest discovery of a common platform, has divided the cybersecurity community with experts disagreeing on the implications.

Don Jackson, a senior security researcher with the Dell SecureWorks Counter Threat Unit, argued that it is unlikely that the platform suggests one lab or set of researchers created all of the malicious software, instead it is more likely that different groups used the same “kit.”

“Many other dimensions of the separate attacks indicate no common authorship or attribution,” Jackson said.

In contrast, Ed Skoudis, the cofounder of Inguardians, a cybersecurity firm, agreed with Kaspersky and Symantec.

“It makes tremendous sense,” Skoudis said. “Look at the effort needed to produce Stuxnet. You wouldn’t want to do it in a way that was one-off. You would want to produce a process that could reuse the parts, not shoot your entire cache of weapons in one attack.”

As an example, Skoudis pointed to the United States and its efforts to build the first atomic bomb.

“When the U.S. built the atom bomb, it wasn’t just the one. We had an infrastructure and platform for building additional weapons,” Skoudis said. “Whoever built Stuxnet got a lot of money and a lot of smart people working on it. It just makes sense that creating these kinds of weapons be repeatable –and that some set of fingerprints are left behind that shows that.”

Adding to the analogy, Raiu likened the Stuxnet manufacturers to a high-tech laboratory developing futuristic weapons.

“What’s going on seems not so much like a weapons factory as much as a super-secret lab that creates experimental cyberweapons,” he said. “It’s more like they’re making ion cannons or something – but for cyberwar. These are not normal line weapons, but the highest tech possible to wage cyberwar and cybersabotage.”