English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

The Mystery of Duqu: Part Seven (Back to Stuxnet)

Aleks
Kaspersky Lab Expert
Posted December 28, 16:37  GMT
Tags: Targeted Attacks, Stuxnet, Duqu
0.5
 

We have been studying the Duqu Trojan for two months now, exploring how it emerged, where it was distributed and how it operates. Despite the large volume of data obtained (most of which has yet to be published), we still lack the answer to the fundamental question - who is behind Duqu?

In addition, there are other issues, mostly to do with the creation of the Trojan, or rather the platform used to implement Duqu as well as Stuxnet.

In terms of architecture, the platform used to create Duqu and Stuxnet is the same. This is a driver file which loads a main module designed as an encrypted library. At the same time, there is a separate configuration file for the whole malicious complex and an encrypted block in the system registry that defines the location of the module being loaded and name of the process for injection.

This platform can be conventionally named as ‘Tilded’ as its authors are, for some reason, inclined to use file names which start with "~d".

We believe Duqu and Stuxnet were simultaneous projects supported by the same team of developers.

Several other details have been uncovered which suggest there was possibly at least one further spyware module based on the same platform in 2007-2008, and several other programs whose functionality was unclear between 2008 and 2010.

These facts significantly challenge the existing "official" history of Stuxnet. We will try to cover them in this publication, but let us first recap the story so far.

Continue reading


2 comments

Oldest first
Threaded view
 

AquiBull

2012 Jan 12, 03:47
0
 

DUKU is probably bigger than you think

May I suggest that if you want to find the source to this you look in Dubuque. This is a dirty pool of skrip kitties just looking to make a name for themselves. And it appears they have. You'll probably have to prepare for the worst and hope for the best.

Reply    

madako

2012 Mar 12, 02:57
0
 

til ded?

I should note that this comment I am not making is not serious.
it is a joke/reference/thing

so all/many of the files start with
~d
right?
tilde d
tilded
til ded
till dead?
till death
tildeath
~ATH?
which kinda makes sense with the execute at the end of the loops and the deconstructors.
because when the ~ATH loop ends and the object is destroyed/dies it runs the part in the EXECUTE part.

again, I reiterate, this is just a joke.
~ATH is an esoteric programming language that is entirely unsuitable for this type of task. (as well as having some features that are impossible to implement)
I do not think there is a compiler for it or any part of it.

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog