Stuxnet, Duqu and Others Created with ‘Tilded’ Platform by the Same Team
After the extensive analysis of a large number of Stuxnet and Duqu drivers, Kaspersky Lab experts concluded that the two Trojans, along with other pieces of malware, were created by the same team, using a platform called Tilded, created around 2007-2008.
They believe that Tilded (named so because its authors tend to use file names which start with the symbol tilde followed by a letter d (~d)) was utilized to create the two now infamous Trojans, which may have been the results of simultaneous projects.
The details indicate that other spyware modules and programs are based on the same platform.
Now, researchers present a precise timeline to show the connection between Duqu and Stuxnet, but also to show the evolution of their drivers from one year to the other. Their studies show that a driver called jmidebs.sys is the connecting link between mrxcls.sys and the drivers later used in Duqu.
“The drivers from the still unknown malicious programs cannot be attributed to activity of the Stuxnet and Duqu Trojans. The methods of dissemination of Stuxnet would have brought about a large number of infections with these drivers; and they can’t be attributed either to the more targeted Duqu Trojan due to the compilation date,” Alexander Gostev, Chief Security Expert at Kaspersky Lab, said.
“We consider that these drivers were used either in an earlier version of Duqu, or for infection with completely different malicious programs, which moreover have the same platform and, it is likely, a single creator-team”.
In mid-2010, Tilded went through some changes which may have resulted from the need to better avoid detection by antivirus software, but also because its code could be improved.
Security experts are currently seeing other modifications brought to the platform which can only mean that other malicious elements, more or less similar to Duqu and Stuxnet, will soon see daylight.
The details indicate that other spyware modules and programs are based on the same platform.
Now, researchers present a precise timeline to show the connection between Duqu and Stuxnet, but also to show the evolution of their drivers from one year to the other. Their studies show that a driver called jmidebs.sys is the connecting link between mrxcls.sys and the drivers later used in Duqu.
“The drivers from the still unknown malicious programs cannot be attributed to activity of the Stuxnet and Duqu Trojans. The methods of dissemination of Stuxnet would have brought about a large number of infections with these drivers; and they can’t be attributed either to the more targeted Duqu Trojan due to the compilation date,” Alexander Gostev, Chief Security Expert at Kaspersky Lab, said.
“We consider that these drivers were used either in an earlier version of Duqu, or for infection with completely different malicious programs, which moreover have the same platform and, it is likely, a single creator-team”.
In mid-2010, Tilded went through some changes which may have resulted from the need to better avoid detection by antivirus software, but also because its code could be improved.
Security experts are currently seeing other modifications brought to the platform which can only mean that other malicious elements, more or less similar to Duqu and Stuxnet, will soon see daylight.
Source: Softpedia