Jim Finkle – Reuters December 30, 2011
The Stuxnet virus that last year damaged Iran’s nuclear program was likely one of at least five cyber weapons developed on a single platform whose roots trace back to 2007, according to new research from Russian computer security firm Kaspersky Lab.
Security experts widely believe that the United States and Israel were behind Stuxnet, though the two nations have officially declined to comment on the matter.
A Pentagon spokesman on Wednesday declined comment on Kaspersky’s research, which did not address who was behind Stuxnet.
Stuxnet has already been linked to another virus, the Duqu data-stealing trojan, but Kaspersky’s research suggests the cyber weapons program that targeted Iran may be far more sophisticated than previously known.
Kaspersky’s director of global research & analysis, Costin Raiu, told Reuters on Wednesday that his team has gathered evidence that shows the same platform that was used to build Stuxnet and Duqu was also used to create at least three other pieces of malware.
Raiu said the platform is comprised of a group of compatible software modules designed to fit together, each with different functions. Its developers can build new cyber weapons by simply adding and removing modules.
“It’s like a Lego set. You can assemble the components into anything: a robot or a house or a tank,” he said.
Kaspersky named the platform “Tilded” because many of the files in Duqu and Stuxnet have names beginning with the tilde symbol “~” and the letter “d.”
Researchers with Kaspersky have not found any new types of malware built on the Tilded platform, Raiu said, but they are fairly certain that they exist because shared components of Stuxnet and Duqu appear to be searching for their kin.
When a machine becomes infected with Duqu or Stuxnet, the shared components on the platform search for two unique registry keys on the PC linked to Duqu and Stuxnet that are then used to load the main piece of malware onto the computer, he said.
Kaspersky recently discovered new shared components that search for at least three other unique registry keys, which suggests that the developers of Stuxnet and Duqu also built at least three other pieces of malware using the same platform, he added.
Those modules handle tasks including delivering the malware to a PC, installing it, communicating with its operators, stealing data and replicating itself.
Makers of anti-virus software including Kaspersky, U.S. firm Symantec Corp and Japan’s Trend Micro Inc have already incorporated technology into their products to protect computers from getting infected with Stuxnet and Duqu.
Yet it would be relatively easy for the developers of those highly sophisticated viruses to create other weapons that can evade detection by those anti-virus programs by the modules in the Tilded platform, he said.
Kaspersky believes that Tilded traces back to at least 2007 because specific code installed by Duqu was compiled from a device running a Windows operating system on August 31, 2007.
(Reporting By Jim Finkle; Editing by Phil Berlowitz)