Duqu and Stars: Proceed with Caution

Sunday, November 06, 2011

Robert M. Lee


Ryan Naraine of Kaspersky Lab made a blog post on November 5th confirming that some of the Duqu targets were hit on April 21st, 2011. 

The blog post states that the kernel level exploit in Duqu was also used in April and is very exciting in terms of understanding the intentions and capabilities of Duqu.  This is another impressive find by the staff at Kaspersky. 

However, the blog then cites an analysis from the IrCERT (Iran's Computer Emergency Response Team) that Duqu is simply an upgraded version of the Stars malware

There is very little currently available to support a connection between Stars and Duqu.  In a paper I released with two of my mentors we described links between Stuxnet and Duqu. 

Yet looking at the binary matches, similar advanced coding in Duqu's kernel level 0day, signed drivers, and use of command and control servers it is still possible that Duqu is not related to Stuxnet.  I strongly believe that they are connected but that is my opinion and there are other logical arguments available. (Editor's note: This paragraph was amended by the author for clarification after initial publication).

To state that Duqu and Stars are related based off undisclosed evidence from the victim country is unfounded.  Stars reportedly struck Iran in April and we know Duqu had a variant existing in April. 

However, the Kaspersky report does not state whether or not the April 21st variant of Duqu was discovered on one of the Iranian targets.  Duqu had many targets to include those in Europe, Iran, and Sudan. 

When looking at known variants as well as its signed driver times Duqu could have been operating for over a year.  Therefore, with the logic being used to link Duqu and Stars any advanced malware operating in Europe, Iran, or Sudan this year could be related to Duqu.  I do not agree with this. 

I believe that the possible link between Stars and Duqu must be researched and could provide details on both pieces of malware.  However, to confidently state that the pieces of malware are related with current evidence may hinder other investigations into Duqu.

Furthermore, the Kaspersky blog states that the United Nation's information, provided by more than ten nations, concerning Iran's possible development of nuclear arms components could have been collected through Stars and Duqu.

 If Duqu was created by a nation state with the intent of remaining anonymous, then I doubt that nation state would share such information with more than ten other nations.  Cyberspace is a very interesting and complex domain. 

Security experts as well as hackers are taught to think "outside of the box" and track down any possible connection between malware, targets, and motives.  It is important though to be careful about opinions stated alongside facts that can influence the way people think, especially regarding statements that can influence political tension between nation states.


Robert M. Lee is a Cyberspace Officer in the United States Air Force; however this post and his views do not represent the US Air Force, Department of Defense, or US Government. The opinions held in this post are his alone and this post was written outside of a military capacity. 

Possibly Related Articles:
Viruses & Malware
Information Security
malware Iran Cyberwar Stuxnet Kaspersky Stars DUQU
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.