(LiveHacking.Com) – Researchers from Kaspersky Labs have discovered that Stuxnet and Duqu were created on the same platform which may have been developed long before the Stuxnet scandal of 2011. Known as “Tilded”, because of the common use of files that start with the tilde symbol (~), it is used by just one team to create modular malware that can be adapted to specific targets.
Kaspersky Labs came to this conclusion by analyzing the drivers used for infecting systems with Duqu and Stuxnet. More worrying is that one of the internal driver files used was compiled in January 2008 and that seven types of drivers with similar characteristics exist in the wild.
“The drivers from the still unknown malicious programs cannot be attributed to activity of the Stuxnet and Duqu Trojans. The methods of dissemination of Stuxnet would have brought about a large number of infections with these drivers; and they can’t be attributed either to the more targeted Duqu Trojan due to the compilation date. We consider that these drivers were used either in an earlier version of Duqu, or for infection with completely different malicious programs, which moreover have the same platform and, it is likely, a single creator-team” said Alexander Gostev, Chief Security Expert at Kaspersky Lab.
This leads to the conclusion that Duqu and Stuxnet are separate projects, but that they were created on a single platform – Tilded. It appears that Tilded was developed around the end of 2007 and the beginning of 2008. In 2010 the platform was developed further to avoid detection by antivirus solutions. There were a number of projects involving programs based on the “Tilded” platform throughout the period 2007-2011. Stuxnet and Duqu are two of them – there could have been others, which for now remain unknown.
The full version of the report of Alexander Gostev and Igor Sumenkov is available at Securelist.