Tuesday, November 1, 2011

Duqu vs. Stuxnet – more of the same?

Duqu, the newly discovered malware, has been named by many as a 'predecessor to Stuxnet', but in fact this piece of sneaky code has its resemblances and differences  to the notorious worm.

A variety of anti-malware researchers and firms recently reported that Duqu's structure, in terms of files and some internal logic, is almost identical to its alleged predecessor - offering a close familiarity with Stuxnet source-code in order to conduct it.
One of the firms even identified Duqu as a version of Stuxnet, and their automatic malware analysis determined it was Stuxnet itself.

On one hand, Duqu is signed with a legitimate digital certificate; Stuxnet did the same with a different certificate, obviously the certificate has been revoked upon discovery.
On the other hand, the purpose of Duqu is entirely different. Some of the uncovered features include keylogging, autodestruct of itself including many traces and transmitting collected data to a Command and Control server using encrypted files, and strange image files that are still under investigation.  

Nonetheless, Duqu's level of sophistication is rare, and it's raison d'être is still remained unsolved.
Keep an eye open on this one, as the story of Duqu's history is slowly revealed.