A year after the Stuxnet worm targeted industrial systems in Iran and surprised security researchers with its sophistication, a new Trojan called Duqu has spread through the wild while being called the “Son of Stuxnet” and a “precursor to a future Stuxnet-like attack.” Researchers from Symantec say Duqu and Stuxnet were likely written by the same authors and based on the same code.
But further analyses by security researchers from Dell suggest Duqu and Stuxnet may not be closely related after all. That’s not to say Duqu isn’t serious, as attacks have been reported in Sudan and Iran. But Duqu may be an entirely new breed, with an ultimate objective that is still unknown.
A report yesterday from Dell SecureWorks analyzing the relationship to Stuxnet casts doubt on the idea that Duqu is related. For example, Dell says:
•Duqu and Stuxnet both use a kernel driver to decrypt and load encrypted DLL (Dynamic Load Library) files. The kernel drivers serve as an "injection" engine to load these DLLs into a specific process. This technique is not unique to either Duqu or Stuxnet and has been observed in other unrelated threats.
•The kernel drivers for both Stuxnet and Duqu use many similar techniques for encryption and stealth, such as a rootkit for hiding files. Again, these techniques are not unique to either Duqu or Stuxnet and have been observed in other unrelated threats.
And while Stuxnet and Duqu each “have variants where the kernel driver file is digitally signed using a software signing certificate,” Dell says this commonality is insufficient evidence of a connection “because compromised signing certificates can be obtained from a number of sources.”
http://arstechnica.com/business/news/2011/10/spotted-in-iran-trojan-duqu-may-not-be-son-of-stuxnet-after-all.arsThese trojans aren't your garden variety 'pay me right fucking now or you'll never be able to use your computer again' trojans. These are more sinister. The Government made variety, even above the mentality of cave dwellers to comprehend....