Experts 'Convinced' Duqu Work of Stuxnet Authors

Trailrunner7 writes "Researchers are fairly confident now that whoever wrote the Duqu malware was also involved in developing the Stuxnet worm. They're also confident that they have not yet identified all of the individual components of Duqu, meaning that there are potentially some other capabilities that haven't been documented yet. There was a lot of speculation when Duqu first emerged about whether the attack was the work of the same group--still unknown--that had created Stuxnet and unleashed it on Iran's nuclear facilities last year. Some of that was centered on supposed similarities in the code between the two pieces of malware, but that was before many of the individual components of Duqu had been identified and analyzed. Now that the analysis and research into the Duqu malware have advanced a bit, researchers say they've found more evidence that points to the malware being the work of the Stuxnet authors or their close associates. 'I'm convinced it's the same group,' Costin Raiu, director of global research and analysis at Kaspersky Lab, who has done much of the analysis of Duqu, said."

Should the researchers keep quiet?

[Relayman]

If Stuxnet is designed to prevent the total destruction of Israel and Duqu is intended to do something similar, shouldn't these "researchers" keep quiet about what they've found? People who mess with the military often find themselves six feet under (unless they're cremated first). I'm sorry, but I think their egos are taking over their common sense.

I would go further

[SmallFurryCreature]

Who is funding Kaspersky labs?

Remember that money makes for strange bedfellows. For instance, take Reuters. They been found to be lying in their reporting in this area... but what few THEN ask, why they ALWAYS been found lying to favor one side.

And if these companies are aiding Iran in keeping its nuclear facilities safe are they aiding it in nuclear development which it is not allowed to do according to UN regulations?

This whole case has more depth to it then just the west vs Iran. Somebody is playing game

Re:

[Unordained]

[evidence needed]
[citation needed]
[explicitly stated allegations needed]
[ad hominem needs review]

Re:

[Anonymous Coward]

Who is funding Kaspersky labs?

My best guess is AV software sales.

Re:

[Anonymous Coward]

Kaspersky Labs is funded by the sale of Kaspersky AntiVirus and the other security software that they sell direct on kaspersky.com. Everything else in your post in rambling, incoherent drivel that made my head hurt.

Re:

[Ihmhi]

Who is funding Kaspersky labs?

Kaspersky, eh? Sounds awfully Russian. And we all know them commies ain't ever up to no good. Quick Mabel, to the bunker!

Re:

[lucm]

Remember that money makes for strange bedfellows. For instance, take Reuters. They been found to be lying in their reporting in this area... but what few THEN ask, why they ALWAYS been found lying to favor one side.

This is exactly why I always watch Fox News. They have never been caught lying because they give me opinions, not facts. It is very convenient because the news I get from them are biased in a way that is compatible with my preconceived notions about the world. I am pretty busy, especially since Skyrim was released, so I don't have time to start shuffling good guys and bad guys around.

Re:Should the researchers keep quiet?

[Eunuchswear]

If Stuxnet is designed to prevent the total destruction of Israel

That's a big "if" you're waving around there partner.

Stuxnet could be a weapon designed for use against Iran, possibly by Israel, but "designed to prevent the total destruction of Israel", that's pretty hyperbolic.

People who mess with the military often find themselves six feet under (unless they're cremated first).

Who's military are you talking about here?

Re:Should the researchers keep quiet?

[Anonymous Coward]

More likely, stuxnet was designed as an alternative to an unpopular military action. Arab neighbors of Iran are eager for Israel to "handle" the issue so they can reap the benefits of an emasculated Iran without getting their own hands dirty. The situation for Israel is more complex; military action will galvanize anti-Israeli sentiments in the ME, and Iran is not their most immediate problem. BUT, neither can Iran be safely ignored. Stuxnet performed its job in buying extra time before Iran could finalize its nuclear program, but that extra time is running out.

Re:

[Relayman]

that's pretty hyperbolic.

Agreed. As first poster, I wanted to get this off to a rollicking start. But who else would Iran use their nuclear weapons on? Europe? The U.S.? South Africa? Those are even more hyperbolic.

Re:

[Anonymous Coward]

But who else would Iran use their nuclear weapons on?

Probably the same people who don't want Iran to be a nuclear country as much as Isreal; namely the rest of the Middle East.

I guess its a poor Western mentality that makes illogical group-think become accepted in that all Arab countries stick together. Nothing could be farther from the truth. Just about EVERY ME country does NOT want Iran to get nukes and have been actively encouraging every country (include the US) to militarily intercede into Iran.

Bluntly, most of the people who accuse Israel and the US of

Re:Should the researchers keep quiet?

[Eunuchswear]

Iran is not an arab country.

Re:

[lucm]

Iran is not an arab country.

This is just semantics. That's the problem with liberals, you think too much, and you end up with all those subcategories.

Foreign policy is so easy: all we need is the Axis of Evil. We put a "good" or "evil" label on every country, and people in "evil" countries can either overthrow Kim Jong Il and join us on the good side, or face the consequences and get nasty viruses.

As for determining if a country is evil, there is a simple solution: we ask ourselves "Would Jack Bauer collaborate with their ambassador o

Re:

[Eunuchswear]

Iran is not an arab country.

This is just semantics. That's the problem with liberals, you think too much, and you end up with all those subcategories.

I'm not a liberal.

I'm a socialist.

Jack Bauer, like all Americans, is a wimp. He's never met a terrorist he wouldn't buckle under to. He only wins because he has the scriptwriters on his side. Unfortunately for the real America the scriptwriter is not on your side.

Re:

[mr100percent]

Every ME country doesn't want Israel to have nukes either, but Israel says they don't friggin care what you think. Israel is one of the single-digit holdouts that refused to sign the Nuclear Non-Proliferation Treaty, even Iran signed it (which is why the IAEA routinely inspects Iran).

Why are so many people surprised the Iranian people want nukes? Their democracy was overthrown in a coup that the CIA freely admits orchestrating, they lost over a million people in the Iran-Iraq war, where among other things S

Re:

[Eunuchswear]

But who else would Iran use their nuclear weapons on?

I don't know.

Who would the US use their nuclear weapons on? Or the UK, France, Russia, China, Israel?

Re:

[antdude]

Who's = Who is. "Who is military are you talking about here?" :P

Re:

[Anonymous Coward]

Well if they suddenly die, vanish, appear in some terrorist video, or step down "for life / health / financial reasons" all of a sudden, we will know they were threatened.
Cause and effect.

I still don't understand how Stuxnet managed to get in so easily, or how this one is to those systems too.
You'd expect the people to have some sense of the security implications of opening random crap.

Also, does anyone have any list on what sort of systems it is infecting?
I find it quite interesting to see these very targe

Re:

[tsotha]

I still don't understand how Stuxnet managed to get in so easily, or how this one is to those systems too. You'd expect the people to have some sense of the security implications of opening random crap.

Do you have any reason to believe Stuxnet got in "easily"? The Iranians don't know how it got there. It may be the Israelis (or whoever) had an agent inject it onto the Natanz network. And nobody had to "open" anything, since it will spread through infected thumb drives.

Re:Should the researchers keep quiet?

[Baloroth]

This is probably the intelligence community at work here. If competent (and from the signs of how well created Stuxnet and Duqu are, they are), people who out these things have nothing to fear. It would almost be an open admission of guilt to "make them disappear." Not to mention the risk of being caught. These worms have worked by subtlety and subterfuge, they won't stop doing that now. And that means not killing people. Really, the idea that intelligence agencies work through murder is mostly (definitely not entirely, but mostly) a Hollywood/ New York Times Bestseller invention. In reality, assassination is way to risky to happen often or be used lightly.

Now, if they were leaking something like a NOC list or exact design documents for thermonuclear warheads, that might be a different story. Stuxnet, however, already did its damage. Duqu probably did too.

Re:Should the researchers keep quiet?

[Jeng]

Really, the idea that intelligence agencies work through murder is mostly (definitely not entirely, but mostly) a Hollywood/ New York Times Bestseller invention. In reality, assassination is way to risky to happen often or be used lightly.

Remember, we are talking about Israel here, they have no reservations about assassinations.

http://en.wikipedia.org/wiki/List_of_Israeli_assassinations [wikipedia.org]

Re:

[rtfa-troll]

Israel assassinates enemies; generally either Arabs or former Nazis. Attacking Russian citizens would be something completely different. They would want a bit more finesse and anonymity than they seem to have achieved recently.

Re:

[Jeng]

I mainly brought up that Israel does assassinate people not because of this subject, but because the person stated it that this just does not happen.

People who work for legitimate anti-virus companies studying this worm have nothing to fear.

Now as to people who might be studying this worm in Iran for the Iranian government, I would be watching my back.

Re:

[rtfa-troll]

I think that the assasination of Iranian nuclear scientists [wikipedia.org] has already happened. However, I think you should remember that both the CIA and the FSB (among others) are probably also fully capable of having people they don't like assassinated given the right circumstances. This doesn't in any way prove or disprove links with Israel.

Re:

[tsotha]

And what about Canadian Gerald Bull?

Israel will assassinate whoever it needs to assassinate in the interests of national security. Every country does at one point or another. The Israelis stand out because their national security interests are more immediately pressing than most countries, and because they have a lot of enemies using asymetric warfare.

Having said that let me say I doubt they would bother killing a computer virus researcher, even assuming he was dissecting their virus. There's no real b

Re:

[Savantissimo]

Bull had nothing to do with Iran or nukes. He was developing giant, militarily-useless space-launch artillery for Iraq. He also developed some of the best field artillery bought by countries around the world, as well as some other projects such as an improved SCUD nose cone. He was assassinated in Belgium, likely by Israel.

Re:Should the researchers keep quiet?

[elrous0]

It's not exactly a secret that Mossad and the IDF were the chief suspects in the creation of Stuxnet. They were even publicizing [jpost.com] their new cyber-warfare IDF division not too long before Stuxnet emerged. So I doubt Israel considers this a big secret. In fact, they may well want to publicize the "Threaten us and we can blow up your centrifuges" message it sends.

Re:Should the researchers keep quiet?

[Anonymous Coward]

No.

Malware researchers should investigate malware, regardless of its pedigree. The malware doesn't discriminate as to the computer. Duqu and Stuxnet will infect a Windows system regardless its location and use. That was part of the idea behind Stuxnet: wide initial deployment so that it would eventually find its way into the Iranian centrifuge system. The authors don't seem to care if they infect non-affiliated systems along the way.

There is also no reason why the exploits being used in Duqu and Stuxnet, presumably by western governments, can't be rebranded by our more run of the mill botnet farmers and spammers.

Re:

[Relayman]

Malware researchers are welcome to investigate, issue signatures to eradicate the malware and report the security holes to the proper software vendors. However, when they grandstand like this, they are just doing it to feed their egos and I don't agree with them doing that for malware connected with the military unless our military is screwing with their country (could happen).

Re:Should the researchers keep quiet?

[gl4ss]

iran going to nuclear war would lead to iran's government to fall - a conventional war would do that as well, it's a card house. messing with their industrial machines only can slow things down though, it can't stop them.

besides, going public with the information straight on would actually protect the researchers, if they're worried about ending up six feet under. but the real reason for going public is that for the researchers the value of the work is going public and going public with it first, so they'll get pageviews.

but.. you could go on further and say that they're doing free r&d for duqu/stuxnet developers. it's a stretch to say that they're the same guys though, just based on analysing the code - it could be just some guy(s) who thought stuxnets architechture was worth looking into as research.

Re:

[Hentes]

If Stuxnet is designed to prevent the total destruction of Israel and Duqu is intended to do something similar

They are designed to attack industrial complexes. And as any weapon, they can also be used for bad were someone with malicious intent copy them. Thus, owners of vulnerable hardware should have the information necessary to defend themselves. The researchers are doing their job, it wouldn't be independent research if they let politics into it.

Re:

[Relayman]

Wow. And in the year since Stuxnet has been discovered, how many of the exploits it uses are still unpatched?

Re:Should the researchers keep quiet?

[ColdWetDog]

Ummm... Israel is the only nation in the region attacking its neighbors. Get past the propaganda, and it is pretty apparent who the real terrorists are.

Right. The missiles shot from Gaza into Israeli territory were launched by whom? The Mossad? Not that I condone a lot of what the Israeli government is doing these days, but even for an AC, you seem remarkably dense.

Re:

[jrumney]

Israel is the only nation in the region attacking its neighbors.

Right. The missiles shot from Gaza into Israeli territory were launched by whom?

Not by any officially government backed forces of any recognized nation. Meanwhile Israel continues to turn a blind eye to, and even encourage, an even bigger PR problem which is entirely within their control - settlement construction in occupied territories. This isn't the actions of a country that wants to live peacefully with its neighbors. As long as they h

Re:

[JDG1980]

Well, for starters, civilian users have been affected by Duqu, so of course the antivirus researchers should go after it.

Secondly, your basic premise ("prevent the total destruction of Israel") is fundamentally flawed. Rulers far worse than Ahmadinejad (and Ali Khamenei, the real ruler of Iran) have had nuclear weapons in the past. Stalin and Mao were about as evil as it gets, but they still didn't blow up the world. You might say that the Iranians are different because they're fanatics. And I suppose that

Re:/tinfoil hat

[masternerdguy]

The CIA is backed up by a covert organization called the NID which wants to regulate the Stargate in Area 51. It's true.

My powers have doubled

[Spy Handler]

since the last time we met, Duqu!

What is this telling us?

[plover]

So Duqu is estimated to have infected about 50 machines. It's a piece of scouting software that collects and maps information, but doesn't attack. It doesn't even phone home yet. It's obviously not news because of its impact to the broad population of computers on the Internet.

So what exactly is this story telling us? Panic now, because the Stuxnet authors are still on the loose and writing malware? Don't panic at all, because Duqu is obviously targeting an Enemy of the State (like Iran) and not generic PCs? Buy Symantec or Kaspersky antivirus software because their detection has gotten better since Stuxnet?

Re:What is this telling us?

[Telvin_3d]

Stuxnet is the first widely reported example of a digital attack on the infrastructure of one nation by (what is believed to be) another nation or nations. This is a big deal. This is one that is likely to be in course syllabuses 50 years from now. If not in the CS department then probably in the PoliSci department. Anything connected to Stuxnet is inherently interesting and potentially newsworthy.

Any actual technical capabilities that Duqu may or may not have is the least interesting part of this story.

Re:

[MozeeToby]

Maybe it's telling us "this is what we see when we look at the code, we offer no conclusions beyond that". Seriously though, the writers of Stuxnet could be just about anyone, from the US, to Isreal, to Saudi Arabia, to Russia, to a group amateurs in their garage. Without knowing their identity, it's impossible to say what their overall motives could be. The only thing known nearly for sure (and that's assuming the researchers are correct in connecting Duqu and Stuxnet) is the authors are willing to do ph

Re:

[medv4380]

It's mostly just information at the moment about what appears to be actually cyber warfare. Though, lackluster cyber warfare to me, but still cyber warfare. Duqu also clearly does something else but what that is is anyone's guess. It is a bit risky for even a government entry to just up and make a virus. There is always a risk of unintended consequences with them unless you're just some vandal who just wants to see computer systems halt with no real goal.

The group isn't unknown at all.

[Anonymous Coward]

The greatest myth of Stuxnet is that the perpetrators who created it are still a mystery. A retiring Israeli general admitted on _video_ and bragged about the fact that Stuxnet was developed as a joint U.S.-Israeli project to attack Iran's nuclear facilities.

http://www.net-security.org/secworld.php?id=10596 [net-security.org]

Re:

[Anonymous Coward]

Well if some random guy took the credit it must be true. No one lies about what their accomplishments.

Re:

[ColdWetDog]

The greatest myth of Stuxnet is that the perpetrators who created it are still a mystery. A retiring Israeli general admitted on _video_ and bragged about the fact that Stuxnet was developed as a joint U.S.-Israeli project to attack Iran's nuclear facilities.

http://www.net-security.org/secworld.php?id=10596 [net-security.org]

He's full of it.

I did it.

Re:

[account_deleted]

Comment removed based on user account deletion

its cause we dont have amazing researchers

[Tyrannosaur]

Ralph Langner was the genius behind our knowing about what Stuxnet did. But his team of researchers aren't studying Duqu much because "please note that we don’t research Duqu as it appears to be unrelated to control systems." We don't have that genius picking apart Duqu as we do Stuxnet. But Duqu is not the next stuxnet. It's not nearly as cool. Stuxnet was a very unique virus for several reasons. Duqu is more like just a standard virus. I don't understand why Stuxnet was underplaid and Duqu is so overplayed. If you want the cool information on Stuxnet http://www.langner.com/en/2011/11/09/two-years-later/ [langner.com] is Langner's latest post.

'Convinced'

[u17]

I can never tell if these words in quotes are meant to be taken as literary citations or an indication of sarcasm. I think this 'style' of writing should be 'retired'.

Re:

[Relayman]

In this case, they are a short version of a quote. I agree, don't use quotes for sarcasm.

Not so difficult

[MacGyver2210]

I was checking out the Zeus source the other day, and these worms and botnets really aren't that complicated. I'd be surprised if we didn't see a boom of new worms/botnets because this looks like something any computer science major could come up with in a few days. The real way to avoid these would be to fix the grievous security holes in the main operating systems affected.

Why are they so sure?

[Hentes]

Stuxnet has leaked to the public, someone could just copy and modify it.

Re:

[Chninkel]

They don't explain in TFA, but maybe they found new pieces of code in Duqu that (compared with stuxnet) are written in a very similar "spirit" although not being part of the original Stuxnet. Sometimes it's very obvious who wrote a piece of code just by the way he implements things that can be implemented in several different ways (I'm not talking about code indentation of course)

Sounds like the book Zero Day

[micsaund]

Reading all of these comments on these 00ber-worms really parallels a book called Zero Day [amazon.com] that I'm reading. It's fairly entertaining so far, just in case anyone else is interested in a story revolving around Stuxnet/Duqu type stuff. It's probably old news around here, but anyway...

Militarized Malware

[koan]

This is fascinating, a team potentially responsible for an military attack on Iran is now in business for themselves? This and the alleged HBgary root kit make it seem as though "The Powers That Be" are taking the low road on the Internet.

As jaded as I am I guess there was still something in me left to turn cynical rather than hopeful.

All I want to know is....

[IceFoot]

How the heck do you pronounce "Duqu"?

Re:All I want to know is....

[Thud457]

How the heck do you pronounce " Duqu "?

It's pronounced : "for God's sake, keep Lucas away from writing any more Star Wars"

Humanity continues to amaze me.

[wvmarle]

Isn't it amazing how much effort humans put into the purpose of destroying one another?

I started to realise this recently while visiting some pre-WWII military sites, mostly former anti-ship and anti-aircraft batteries. So much effort it must have take to build them. It goes to show how much effort other groups must have put in to try and destroy that again. Now if only all that effort would have been put to different, more peaceful uses...

Stuxnet and Duqu are no different. They must have taken a lot of r