New analysis of the Duqu Trojan has concluded there's not enough evidence to link it to Stuxnet, and calls early analysis that claimed Duqu was a brand new version of the worm pure speculation.
The facts observed through software analysis are inconclusive at publication time on the subject of proving an immediate relationship between Duqu and Stuxnet at some other level.
Dell SecureWorks CTU
The Duqu Trojan report, issued by the Dell SecureWorks Counter Threat Unit, said Duqu raised eyebrows recently for holding code that shares striking similarities because the Stuxnet worm , but ultimately the hot Trojan was designed for a totally different purpose. The payloads of Duqu and Stuxnet are significantly different and unrelated, the Dell SecureWorks researchers said.
“One could speculate the injection components share a standard source, but supporting evidence is circumstantial at best, and insufficient
to verify a right away relationship,†consistent with the report. “The facts observed through software analysis are inconclusive at publication time in terms of proving an instantaneous relationship between Duqu and Stuxnet at some other level.â€
Initial Duqu Trojan analysis was issued by Symantec Corp. Oct. 18, which concluded the malware may be a precursor to a future Stuxnet-style attack. The Mountain View, Calif.-based vendor said parts of Win32.Duqu are nearly the image of Stuxnet, indicating it was created by someone who has access to the Stuxnet source code. Duqu was designed to enable attackers to put in other malicious programs that could record keystrokes, gather system information, take screenshots and explore files.
This wasn't just similar however the very same code was used and that shows us that the 2 threats were made out of the identical code base.Liam O Murchu, manager of operations, Symantec Security Response.Â
Symantec has revised its early report, stating that Duqu was present in "industrial industry manufacturers" systems. The change was made after consulting with an industrial control system computer emergency response team (ICSCERT), said Liam O Murchu, manager of operations for Symantec Security Response.  The companies that had Duqu on their systems “were not necessarily the manufacturers of process control systems, but of a valve or pipe that might be utilized in an industrial control system facility,†Murchu said. “We're attempting to differentiate between actual companies going through PLCs and corporations supplying parts in facilities which have PLCs.â€
Murchu said Symantec conducted a radical analysis of the Duqu code and stands by its initial report that it was made from an identical Stuxnet source code. Symantec researchers conducted binary comparison of the code inside the Duqu loader in addition to the code in numerous other components, he said.
“We shouldn't have 100% evidence that shows Duqu is made by an identical creators that wrote Stuxnet, but we do know that the threats were made out of a similar source code,† Murchu said. “This wasn't just similar however the very same code was used and that shows us that both threats were produced from the identical code base.â€
Similarities to Stuxnet
Duqu and Stuxnet use the same kernel driver to decrypt and cargo encrypted dynamic load library (DLL) files, enabling the Trojan to inject itself into system processes. Other components that encrypt Duqu and make it stealthy also are utilized in Stuxnet, but, in step with the Dell-SecureWorks researchers, they've been utilized in other unrelated malware.
Where Stuxnet and Duqu share striking similarities is within the software signing certificate used to digitally sign the kernel driver file. The digital certificate is used to enable the malware to masquerade as a harmless kernel driver for the infected system. Both Stuxnet and Duqu appear as a driver from the JMicron Technology Company.
“The commonality of a software signing certificate is inadequate evidence to conclude the samples are related because compromised signing certificates may be obtained from various sources. One must prove the sources are common to attract a definitive conclusion,†according to the report.
Symantec initially said the Trojan was detected at the systems of European industrial control manufacturers. However the Dell SecureWorks analysis found no specific code that seeks out supervisory control and information acquisition (SCADA) components. The main purpose of Duqu is to supply an attacker with remote access to a compromised computer to upload additional malware which may steal sensitive data.
Duqu defenses
Security researchers are still attempting to track down the Duqu installers, which might provide clues as to how machines are initially infected by the Trojan.
The Dell SecureWorks team said most antivirus and antimalware technologies can now detect Duqu infections. Risk averse organizations can take additional steps, which include monitoring non-SSL traffic for communication to Duqu-related domains.
Nessun commento:
Posta un commento
Comments links could be nofollow free