• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Hacking
  • Intelligence
  • Malware
  • Security
  • Stuxnet, Duqu and the sons of the “Tilded” platform

Stuxnet, Duqu and the sons of the “Tilded” platform

Pierluigi Paganini December 29, 2011

We all have heard of Stuxnet viruses, malware that has undoubtedly marked a new era in the field. It is considered by experts the first real cyber weapon developed to infect control systems present in some of Iran’s nuclear facilities. With Stuxnet was, in fact, introduced a new concept of malware, a broad-spectrum deadly weapon capable of hitting in a silent and surgical mode an high number of objectives located anywhere on the planet. Who is behind the development is not yet certain, however certain is that the complexity of malware has requested a development group with an high skill level.
Because of its uniqueness Stuxnet is still a matter of intense study at a distance of well over 4 years since its discovery. The researchers of the major antivirus companies have identified Stuxnet as the progenitor of another malware, Duqu, it also classified as a cyber weapon developed by a government commitment.

Duqu Stuxnet

Kaspersky’s director of global research & analysis, Costin Raiu, has announced that his team has gathered evidence that shows that behind the Stuxnet and Duqu there is the same development team that has used a common platform to build the malware, but what is really interesting and new is that the researcher is convinced that the same framework has been also used to create at least three other pieces of malware.

Personally I have an experience of over 25 years in software development, and for this reason, I fully appreciated what the researchers said. We are dealing with an application that consists of several modules each responsible for a specific function to perform. The behavior of the malware to be produced is given by the way in which these modules are made to interact with the same agent. We are facing with a powerful a weapon for the following reasons:

  • Mutable and non-deterministic behavior of the final agent resultant of the module used.
  • Possibility of development of additional modules designed for specific categories of targets .
  • Opportunities for collaboration of multiple groups of developer component of different organizations. Having a common platform it is possible in the future to create a real library of modules, functions that can be called like in any other program to infect specific objectives.

Costin Raiu said

“It’s like a Lego set. You can assemble the components into anything: a robot or a house or a tank,”

I find the statement is the perfect synthesis of the key concept behind the new cyber weapons, just as with Lego you can dial any “shape” of malware assembling the individual components in a manner to be able to attack a specific target.

Researchers with Kaspersky have named the platform “Tilded” because many of the files in Duqu and Stuxnet have names beginning with the tilde symbol “~” and the letter “d.”

For the moment, Stuxnet and Duqu are the only two malware that shares these characteristics but it is certain that in future new agents will be isolated for the exposed reasons.

When a host is infected with this malware, the shared components on the platform search for two unique registry keys on the machine linked to Duqu and Stuxnet that are then used to load the main piece of malware onto the computer.
What is surprising is that Kaspersky recently discovered new shared components that search for at least three other unique registry keys, which suggests that the developers of Stuxnet and Duqu also built at least three other pieces of malware using the same platform.

Those component handle tasks including delivering the malware to a PC, installing it, communicating with its operators, stealing data and replicating itself.
Of course, the main antivirus firms have already incorporated technology into their products to protect computers from getting infected with Stuxnet and Duqu.
Do you believe it is so easy to identify those components from registry key? Wrong!
Consider that the malware developers have the opportunity to test their antivirus avoidance techniques during malware development and for the attack they can rely on 0-day effect.

How old is this platform? Kaspersky experts believes that Tilded traces back to at least 2007 because specific code installed by Duqu was compiled from a device running a Windows operating system on August 31, 2007.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Duqu, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]

References

Stuxnet weapon has at least 4 cousins -researchers


facebook linkedin twitter

antivirus Critical infrastructures cyber Cyber Crime cyber weapon duqu Hackers Hacking Incident Large scale infiltration malware platform research Sabotage stuxnet Trojan visus

you might also like

Pierluigi Paganini July 11, 2025
U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 10, 2025
UK NCA arrested four people over M&S, Co-op cyberattacks
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

    Uncategorized / July 11, 2025

    U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 11, 2025

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

    Hacking / July 10, 2025

    Qantas data breach impacted 5.7 million individuals

    Data Breach / July 10, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT