Reliable Security Information
Duqu virus: Following the patterns of malware proliferation

Here's the basic truth on computer virus proliferation: Once out, there is no controlling what others might do to your -- or anyone else's -- creation. So, at this point it cannot be known with absolute certainty if Duqu's creators were Stuxnet's.

In any case, I'm sure the media will fill up with all kinds of spontaneously-generated theories on the subject.

However, the expanded argument goes something like this:

The history of malware generation and proliferation tells us that once a certain piece is in circulation others build upon it. In fact, there has always been a great enthusiasm for doing so.

Therefore, malicious s code eventually either gets distributed or becomes an open book to those in the malware art interested in adopting pieces of it for their own purposes.

It becomes attractive game for others to analyze and use.

Stuxnet was widely distributed to many computer security experts. Many of them do contract work for government agencies, labor that would perhaps require a variety of security clearances and which would involve doing what would be seen by others to be black hat in nature. When that happened all bets were off.

So, to summarize, once a thing is in world circulation it is not protected or proprietary property. Such malicious code may contain hindrances to copying or reverse engineering but these can be overcome given enough effort. Add to this the fact that source code for malware has never been secure. It always becomes something coveted by many, often in direct proportion to its fame.

Therefore, it would not be surprising given the Byzantine and secretive interlinked nature of this world, that Stuxnet code had leaked, even if only in bits and pieces.

How do we know all this? It's been the way of computer virus writers since the advent of malicious programming. And while that world is far behind and virus writing is now propelled by economic and, now -- apparently geopolitical, incentivization -- the basic analysis of black code for purposes of reuse remains the same.

Way back in 1990 there was an old executable file virus called The Whale. It was named for its size, large and defiantly difficult for what were then mostly tiny assembly-coded things. The Whale's primary purpose was that of an intellectual puzzle. It was written to suck in anti-virus researchers, other virus writers, computer security workers and the merely curious wishing to take it apart, like a virtual tarpit. Most of its code was aimed at obfuscation.

In not too short a time another virus-writer had disassembled it and posted the source code in cyberspace. While the Whale never furnished much of anything others were interested in reusing except a couple conceptual ideas on disguising code and complication, in the end all its secrets were pried loose.

And so it has always been.

This post was published in an earlier form at Dick Destiny blog.

Subscribe to SitRep: SitRep RSS Feed SitRep ATOM Feed