TINA CASEY
Despite a warning from the U.S. to back off, Iran has threatened to close the Strait of Hormuz and it claims that a U.S. aircraft carrier is lurking in the area, but if Iran is preparing for a fight the real action is more likely to begin with laptops and desktops.
According to a team from the Russian IT security firm Kaspersky Lab, the notorious Duqu and Stuxnet computer viruses, both of which reportedly attacked Iranian nuclear facilities, can be traced to a single platform that is much older, and has been used to create at least three other viruses.
Duqu was first detected by a Hungarian security lab in October. Since then, security researchers around the globe have been racing to determine the extent of its spread and to pinpoint its origins, as Microsoft has struggled to patch a security flaw in Microsoft Word that enabled the transmission of the malware in the first place.
Almost a year after Iranian President Mahmoud Ahmadinejad said Iranian centrifuges had been attacked by Stuxnet, Iran in November said it had detected Duqu and was working to fight it, confirming earlier reports of security researchers.
In addition to gathering the information necessary to cause physical damage to industrial systems, such as those at Iran’s uranium enrichment plants, the Duqu malware also opens the door for other viruses such as Stuxnet, which could have the capability to assume control of those systems.
If Duqu and Stuxnet share the same platform, this could just be the beginning of a new round of cyber-attacks designed to prevent Iran from building nuclear weapons.
Kaspersky Lab is confident of its findings, and that doesn’t bode well for Iran’s ability to respond effectively to future attacks.
The Kaspersky team is calling the parent platform “Tilded” in reference to the tilde symbol “~” and the letter “d,” which begin many of its files. They found evidence of a connection to Stuxnet while analyzing Duqu incident that occurred in August 2011, and used an in-house database of other malicious programs to find additional similarities.
The database itself turned out to be a key piece of evidence for a common, older ancestor shared between the two viruses. As explained by Kaspersky Lab, the database contained a file that was created a year before the creation of the drivers used by Stuxnet.
In a prepared statement, Alexander Gostev, Chief Security Expert at Kaspersky Lab, said:
“The drivers from the still unknown malicious programs cannot be attributed to activity of the Stuxnet and Duqu Trojans. The methods of dissemination of Stuxnet would have brought about a large number of infections with these drivers; and they can’t be attributed either to the more targeted Duqu Trojan due to the compilation date. We consider that these drivers were used either in an earlier version of Duqu, or for infection with completely different malicious programs, which moreover have the same platform and, it is likely, a single creator-team.”
As for the geographic locations, nationalities and political affiliations of that team, Kaspersky doesn’t speculate.
Earlier, however, Kapersky said that “Stuxnet development was likely to be backed by a nation state, which had strong intelligence data at its disposal,” leading to additional speculation from other researchers and media outlets that Israel and/or the U.S. were behind the virus.
Also, it is worth pointing out that whoever was behind Duqu — they are apparently fans of the American SHOWTIME series “Dexter,” as they embedded an obvious reference to the show in the code.
Indeed, in any case, Kapersky Lab’s predictions for 2012 include “a dramatic increase in the number of targeted attacks,” particularly on “companies and state organizations involved in arms manufacturing, financial operations, or hi-tech and scientific research activities.”
Hold on to your hats.
