A relationship between the Stuxnet and Duqu trojans has long been suspected. Now Kaspersky researchers have concluded that the two trojans, and possibly others, have been produced by the same malware developers and use a common platform, which it calls ‘Tilded’ (pronounced ‘tilda-dee’ because of a tendency to use the characters ‘~d’ in filenames).
The conclusion is based on a commonality of design (which is modular) and also style of coding. The two trojans are so similar that Kaspersky has said that you could interchange the drivers, and they would both still work. The main difference between them is in purpose rather than design. While Stuxnet can be described as an attack tool, Duqu is primarily an information gathering tool. This has led some to believe that Duqu was used to gather the intelligence used by Stuxnet.
Individually, Stuxnet and Duqu have generated considerable concern within the security industry: Stuxnet because it is often considered to be the first example of genuine cyberwarfare, and Duqu because of its modularity. The modularity is leading many researchers to believe that the Tilded platform is a work in progress. It is when you put these two concepts together, work-in-progress and cyberwarfare, that the alarm bells begin to ring. What is the purpose of the Tilded platform, and who is behind it?
Kaspersky is very clear that officially it can shed no light on the originators of the malware. Nevertheless, researchers both inside and outside of Kaspersky believe that the evidence is pointing toward nation-state involvement. There are three primary reasons. First, national governments around the world are publicly earmarking special budgets for the development of both offensive and defensive cyber-weaponry. Second, Kaspersky has shown a long development history in the evolution of Duqu/Stuxnet. Organized crime would normally seek a much faster time-to-market for its investments. And third, the sheer cost of the resources necessary to develop and test this platform are staggering. Many researchers believe that only a national budget could finance Stuxnet/Duqu development.
The concern then, if this is a work-in-progress funded by a national budget, is what's next?