A year after the Stuxnet worm targeted industrial systems in Iran and surprised security researchers with its sophistication, a new Trojan called Duqu has spread through the wild while being called the “Son of Stuxnet” and a “precursor to a future Stuxnet-like attack.” Researchers from Symantec say Duqu and Stuxnet were likely written by the same authors and based on the same code.

But further analyses by security researchers from Dell suggest Duqu and Stuxnet may not be closely related after all. That’s not to say Duqu isn’t serious, as attacks have been reported in Sudan and Iran. But Duqu may be an entirely new breed, with an ultimate objective that is still unknown.

A report yesterday from Dell SecureWorks analyzing the relationship to Stuxnet casts doubt on the idea that Duqu is related. For example, Dell says:

Duqu and Stuxnet both use a kernel driver to decrypt and load encrypted DLL (Dynamic Load Library) files. The kernel drivers serve as an "injection" engine to load these DLLs into a specific process. This technique is not unique to either Duqu or Stuxnet and has been observed in other unrelated threats.

The kernel drivers for both Stuxnet and Duqu use many similar techniques for encryption and stealth, such as a rootkit for hiding files. Again, these techniques are not unique to either Duqu or Stuxnet and have been observed in other unrelated threats.

And while Stuxnet and Duqu each “have variants where the kernel driver file is digitally signed using a software signing certificate,” Dell says this commonality is insufficient evidence of a connection “because compromised signing certificates can be obtained from a number of sources.”

While Stuxnet spread through USB sticks and PDF files, the Duqu infection method is still unknown, Dell said. Unlike Stuxnet, Duqu doesn’t have specific code targeting SCADA (supervisory control and data acquisition) components. Duqu provides attackers with remote access to compromised computers with the ability to run arbitrary programs, and can theoretically be used to target any organization, Dell said.

“Both Duqu and Stuxnet are highly complex programs with multiple components,” Dell says. “All of the similarities from a software point of view are in the ‘injection’ component implemented by the kernel driver. The ultimate payloads of Duqu and Stuxnet are significantly different and unrelated. One could speculate the injection components share a common source, but supporting evidence is circumstantial at best and insufficient to confirm a direct relationship. The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level.”

The security vendor Bitdefender has also cast doubt on the supposed Duqu/Stuxnet link in its Malwarecity blog. “We believe that the team behind the Duqu incident are not related to the ones that released Stuxnet in 2010, for a number of reasons,” BitDefender’s Bogdan Botezatu writes. While a rootkit driver used in Duqu is similar to one identified in Stuxnet, that doesn’t mean it’s based on the Stuxnet source code.

“A less known aspect is that the Stuxnet rootkit has been reverse-engineered and posted on the Internet,” Botezatu writes. “It’s true that the open-sourced code still needs some tweaking, but an experienced malware writer could use it as inspiration for their own projects.” The fact that Stuxnet and Duqu seem to be targeting different systems and the fact that reusing code would not be a smart move for attackers argue against a link, he continues.

“Code reuse is a bad practice in the industry, especially when this code has been initially seen in legendary e-threats such as Stuxnet,” he writes. “By now, all antivirus vendors have developed strong heuristics and other detection routines against industry heavy-weights such as Stuxnet or Downadup. Any variant of a known e-threat would likely end up caught by generic routines, so the general approach is ‘hit once, then dispose of the code.’”

Symantec, however, seems convinced of the link to Stuxnet. “Duqu is essentially the precursor to a future Stuxnet-like attack,” Symantec writes. “The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.” Symantec bolsters its case by noting that executables designed to capture keystrokes and system information “using the Stuxnet source code” have been discovered.

Kaspersky Lab agrees that Stuxnet and Duqu are similar and in fact says the main distinguishing factor between the two is the “detection of only a very few [Duqu] infections.” A handful of infections have been found, including one in Sudan and three in Iran. But the Duqu end game is unknown.

Kaspersky Lab Chief Security Expert Alexander Gostev says in a statement, “Despite the fact that the location of the systems attacked by Duqu are located in Iran, to date there is no evidence of there being industrial or nuclear program-related systems. As such, it is impossible to confirm that the target of the new malicious program is the same as that of Stuxnet. Nevertheless, it is clear that every infection by Duqu is unique. This information allows one to say with certainty that Duqu is being used for targeted attacks on pre-determined objects.”

Researchers will no doubt uncover more information about Duqu in the coming weeks and come up with methods of thwarting Duqu-based attacks. Microsoft, among many others, has released antivirus signature updates covering variants of the Duqu Trojan.