Russian computer security outfit Kaspersky Lab said that the Stuxnet virus that damaged Iran's nuclear programme was likely to be one of at least five cyber weapons developed on a single platform. The viruses have never been seen 'in the wild' - and it's unclear whether they, like Stuxnet, would be built to cause failures at nuclear plants, or engineered for another purpose.
Both Stuxnet and Duqu appear to have been created back in late 2007 or early 2008, and other pieces of malware with similar capabilities were built on the same platform, Gostev said.
Gostev examined two key drivers and variants that were used in both Stuxnet and Duqu, as well as two previously unknown drivers that were similar to the ones used. Not only did the same group of people develop Stuxnet and Duqu, but they likely worked simultaneously on multiple variants, Gostev said. The other pieces may be in the wild and not yet detected, or the developers may have decided not to release them, he said.
Overall, Kaspersky found seven types of drivers from the family with similar characteristics, and for three of them there’s no knowledge of which malicious program they were used in conjunction with.Alexander Gostev, Chief Security Expert at Kaspersky, commented: “The drivers from the still unknown malicious programs cannot be attributed to activity of the Stuxnet and Duqu Trojans. The methods of dissemination of Stuxnet would have brought about a large number of infections with these drivers; and they can’t be attributed either to the more targeted Duqu Trojan due to the compilation date.”
Researchers with Kaspersky have not found any new types of malware built on the Tilded platform, Raiu said, but they are fairly certain that they exist because shared components of Stuxnet and Duqu appear to be searching for their kin.When a machine becomes infected with Duqu or Stuxnet, the programs search for two unique registry keys on the PC linked to Duqu and Stuxnet that are then used to load the main piece of malware onto the computer, he said.
"We believe Duqu and Stuxnet were simultaneous projects supported by the same team of developers," Gostev wrote.
The developers are tweaking ready-made files instead of creating new drivers from scratch, which allows them to make as many different driver files as they like, each having exactly the same functionality and creation date, Gostev said. These files can also be signed with legitimate digital certificates and packaged into different variants.