Liam Ó Murchu operations manager, security technology & response, Symantec
We are certain Duqu was created using the same source code as Stuxnet. This is because roughly 50 percent of the code in Duqu is reused from Stuxnet. It would be nearly impossible to reverse engineer Stuxnet’s binary and achieve code so similar, not to mention impractical. Because the same source code was used, Stuxnet and Duqu share remarkable similarities: Duqu’s method for loading modules into memory has only ever before been observed in Stuxnet; both threats’ encryption algorithms are nearly identical; both store their two primary files, an executable and a configuration file with a unique .pnf extension, in the same subdirectory; and both are stored in a single file with all other components included therein. The organizational structure of the components within these files is identical. So, who has access to the Stuxnet source code? The truth is only Stuxnet’s authors do. All these facts taken into account leave no doubt Duqu was created by, at the very least, Stuxnet-affiliated attackers.
Don Jackson director, Dell SecureWorks Counter Threat Unit
As of Nov. 1, the known Duqu payloads enable the attacker to steal information from the infected computer and the network to which it is connected, capture keystrokes and download additional code. Currently, no code in any of the known Duqu variants pertain to or target industrial control systems, as Stuxnet did. There have been no confirmed Duqu victims that are industrial control system (ICS) providers or manufacturers of ICS components, such as the programmable logic controllers targeted by Stuxnet. If the Duqu actors are the Stuxnet actors, why would they use the same code used in previously deployed cyber weapons (Stuxnet), knowing that the code would trip security alerts? The code in common between Duqu and Stuxnet are the modules used to decrypt other code and inject it into the memory of other running programs. This is a common tactic used by modern malware. Similar code can be found on malware programming forums, and the specific implementation used by Stuxnet is given in detail in source code available on the internet.