December 01, 2011
Debate

Debate: The Stuxnet authors are behind the Duqu trojan.

PRO

Liam Ó Murchu operations manager, security technology & response, Symantec

We are certain Duqu was created using the same source code as Stuxnet. This is because roughly 50 percent of the code in Duqu is reused from Stuxnet. It would be nearly impossible to reverse engineer Stuxnet's binary and achieve code so similar, not to mention impractical. Because the same source code was used, Stuxnet and Duqu share remarkable similarities: Duqu's method for loading modules into memory has only ever before been observed in Stuxnet; both threats' encryption algorithms are nearly identical; both store their two primary files, an executable and a configuration file with a unique .pnf extension, in the same subdirectory; and both are stored in a single file with all other components included therein. The organizational structure of the components within these files is identical. So, who has access to the Stuxnet source code? The truth is only Stuxnet's authors do. All these facts taken into account leave no doubt Duqu was created by, at the very least, Stuxnet-affiliated attackers.

CON

Don Jackson director, Dell SecureWorks Counter Threat Unit

As of Nov. 1, the known Duqu payloads enable the attacker to steal information from the infected computer and the network to which it is connected, capture keystrokes and download additional code. Currently, no code in any of the known Duqu variants pertain to or target industrial control systems, as Stuxnet did. There have been no confirmed Duqu victims that are industrial control system (ICS) providers or manufacturers of ICS components, such as the programmable logic controllers targeted by Stuxnet. If the Duqu actors are the Stuxnet actors, why would they use the same code used in previously deployed cyber weapons (Stuxnet), knowing that the code would trip security alerts? The code in common between Duqu and Stuxnet are the modules used to decrypt other code and inject it into the memory of other running programs. This is a common tactic used by modern malware. Similar code can be found on malware programming forums, and the specific implementation used by Stuxnet is given in detail in source code available on the internet.

From the December 2011 Issue of SCMagazine »
Similar Articles

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.