Skip to content

Stuxnet, Duqu and the sons of the “Tilded” platform

by paganinip on December 29th, 2011

We all have heard of Stuxnet viruses, malware that has undoubtedly marked a new era in the field. It is considered by experts the first real cyber weapon developed to infect control systems present in some of Iran’s nuclear facilities. With Stuxnet was in fact introduced a new concept of malware, broad-spectrum deadly weapon capable of hitting in a silent and surgical mode an high number of objectives located anywhere on the planet. Who is behind the development is not yet certain, however certain is that the complexity of malware has requested a development group with an high skill level.
Because of its uniqueness Stuxnet is still a matter of intense study at a distance of well over 4 years since its discovery. The researchers of the major antivirus companies have identified Stuxnet as the progenitor of another malware, Duqu, it also classified as a cyber weapon developed by a government commitment.

Kaspersky’s director of global research & analysis, Costin Raiu, has announced that his team has gathered evidence that shows that behind the Stuxnet and Duqu there is the same development team that has used a common platform to build the malwares, but what is really iteresting and new is that the researcher is convinced that the same framework has been also used to create at least three other pieces of malware.

Personally I have an experience of over 25 years in software development, and for this reason I fully appreciated what the researchers said. We are dealing with an application that consists of several modules each responsible for a specific function to perform. The behavior of the malware to be produced is given by the way in which these modules are made ​​to interact in the same agent. We are facing with a powerful a weapon for the following reasons:

  • Mutable and non-deterministic behavior of the final agent resultant of the module used.
  • Possibility of development of additional modules designed for specific categories of targets .
  • Opportunities for collaboration of multiple groups of developer component of different organizations. Having a common platform it is possible in the future to create a real library of modules, functions that can be called like in any other program to infect specific objectives.

Costin Raiu said

“It’s like a Lego set. You can assemble the components into anything: a robot or a house or a tank,”

I find the statement is the perfect syntesis of the key concept behind the new cyber weapons, just as with Lego you can dial any “shape” of malware assembling the individual components in a manner to be able to attack a specific target.

Researchers with Kaspersky have named the platform “Tilded” because many of the files in Duqu and Stuxnet have names beginning with the tilde symbol “~” and the letter “d.”

For the moment, Stuxnet and Duqu are the only two malware that share these characteristics but it is certain that in future new agents will be isolated for the exposed reasons.

When an host is infected with this malware, the shared components on the platform search for two unique registry keys on the machine linked to Duqu and Stuxnet that are then used to load the main piece of malware onto the computer.
What is surprising is that Kaspersky recently discovered new shared components that search for at least three other unique registry keys, which suggests that the developers of Stuxnet and Duqu also built at least three other pieces of malware using the same platform.

Those component handle tasks including delivering the malware to a PC, installing it, communicating with its operators, stealing data and replicating itself.
Of course the main antivirus firms have already incorporated technology into their products to protect computers from getting infected with Stuxnet and Duqu.
Do you believe it is so easy to identify those components from registry key? Wrong!
Consider that the malware developers have the opportunity to test their antivirus avoidance techniques during malware developement and for the attack they can rely on 0-day effect.

How old is this platform? Kaspersky experts believes that Tilded traces back to at least 2007 because specific code installed by Duqu was compiled from a device running a Windows operating system on August 31, 2007.

Pierluigi Paganini

References

Stuxnet weapon has at least 4 cousins -researchers

Leave a Reply

You must be logged in to post a comment.