10.19.11

Duqu virus derived from Stuxnet? How’s and why’s of virus proliferation

Posted in Crazy Weapons, Cyberterrorism at 9:04 am by George Smith

Earlier in the week some clown at the Washington Post called the advent of the Stuxnet virus the “Hiroshima” of cyberspace.

Yesterday’s news of the Duqu virus generated some queries to your host. And if the world computer virus proliferation network works the way it always has, soon some windbag will have to talk about the cyberspace equivalent of a massive thermonuclear exchange.

However, to make this one short, I’ll describe one of the basics of computer virus proliferation.

Once out, there is no controlling what others might do to your creation. So, at this point it cannot be known with absolute certainty if Duqu’s creators were Stuxnet’s.

In any case, I’m sure the media will fill up with all kinds of spontaneously-generated theories on the subject.

The nut of my argument is this:

The history of malware generation and proliferation tells us that once a certain piece is in circulation others build upon it. In fact, there has always been a great enthusiasm for doing so.

Therefore, malicious s code eventually either gets distributed or becomes an open book to those in the malware art interested in adopting pieces of it for their own purposes.

It becomes game for others to analyze and use.

Stuxnet was widely distributed to many computer security experts. Many of them do contract work for government agencies, labor that would perhaps require a variety of security clearances and which would involve doing what would be seen by others to be black hat in nature. When that happened all bets were off.

So, to summarize, once a thing is in world circulation it is not protected or proprietary property. Such malicious code may contain hindrances to copying or reverse engineering but these can be overcome given enough effort. Add to this the fact that source code for malware has never been secure. It always becomes something coveted by many, often in direct proportion to its fame.

Therefore, it would not be surprising given the Byzantine and
secretive interlinked nature of this world, that Stuxnet code had leaked, even if only in bits and pieces.

7 Comments

  1. Larry Constantine (Lior Samson) said,

    October 20, 2011 at 6:25 am

    You are absolutely right. I and industrial security experts like Ralph Langner have been taking this position all along, that Stuxnet, whose code and deconstruction have been widely circulated, is a design template and spare parts bin for all manner of malicious software targeted at industrial control systems. Forensic analysis of the Duqu code suggests that its author(s) had access to Stuxnet source code, which is circumstantial evidence that it came from the same clandestine sources. However, smart software developers with enough persistence and purpose will no doubt eventually put some of the lessons and components of Stuxnet to use for destructive ends. This is the message that many of us have been trying to get out. These malware missles can be turned back on us. In the novel Web Games (Gesher Press, 2010) the target was our power industry, but it could be gas pipelines or petroleum cracking or…

    –Prof. Larry Constantine (Lior Samson)

  2. Hungarian Dance said,

    October 21, 2011 at 12:40 am

    Dear Blog Author,

    Please don’t speak if you know nothing!

    Duqu was created by Stuxnet authors, or a party who have received the Stuxnet human readable source code form the original creators. Both antivirus companies F-Secure of Finland and Kaspersky Lab of Russia have confirmed that Duqu was made by re-using Stuxnet source code to a large extend. Repeat, source code (with line comments), not simple disassembled/decompiled code!

    Stuxnet source code (not decompiled code) have NOT been publicly disseminated so far. The large size of Stuxnet binary and its extremely complex interior would make 100% decompilation impossible to achieve anyhow. The Anonymous/Lulz hackers claiming to have posted “Stuxnet source code” only scratched the malware’s surface with their decomps, no more then 25% they did.

    Symantec, wolrd’s largest AV company has been working on disassembling the new Duqu for over 7 days now, day and night and they are still less than 2/3rd way complete.

    Kind Regards, from Budapest, Hungary, the place currently foremost infected with Duqu in the whole world.

  3. George Smith said,

    October 21, 2011 at 7:23 am

    Duqu was created by Stuxnet authors, or a party who have received the Stuxnet human readable source code form the original creators.

    Your reading comprehension is a bit lacking.

    So I’ll repeat: Therefore, malicious s code eventually either gets distributed or becomes an open book to those in the malware art interested in adopting pieces of it for their own purposes.

  4. George Smith said,

    October 21, 2011 at 7:27 am

    Kaspersky Lab even went so far as to illustrate their whitepaper about the warhead / delivery system dual nature of Stuxnet / Duqu with the aseembly [sic] scheme of an american B-61 nuclear bomb.

    And while this may be what they did to hook interest and sales, it’s dumb. And it got hung up in the spam filter where I’ve left the rest of it.

  5. MrEthiopian said,

    October 21, 2011 at 8:18 pm

    The first rendition of this code utilized stolen CA that the systems presumed legitimate, the first test of nefarious code was labeled to be genuine , that is/ was an avenue that will not be exploited so easily again, if at all. The next hit will not be so easy. You could have the finest work in the world but unless you get root you have nothing.

  6. mehdi said,

    October 22, 2011 at 9:48 pm

    Dear experts
    I am a member of cert in Iran.It would be very graetful if you could possibly send me the source of duqu virus to help me analyze its functions.
    Thanks in advanced

  7. Not said,

    October 24, 2011 at 4:55 pm

    The weakness in the source code, somehow does not mean “source code has been leaked in bits and …..”. The complexity of the malware, which targets certain products, itself is a weakness, and used as a starting point for de-constructing the ditty.

    However, more immediate spin off is the commercial damage to the supplier of the targeted products, that will lose its market share. As well as the sector witnessing an emergent intent for migration away from this mode of control constructss. Hence, who is cashing in? Please spare me from the narrative so widely accepted as fact.

    Interesting to see this site is frequented with comedians too.