The threat that we call 'Duqu' is based on Stuxnet and it is very similar. Only a few sites so far are known to be attacked by the code, and it does not have PLC functionality like Stuxnet.
Instead, the code which is delivered via exploitation, installs drivers, and encrypted DLLs that function very similar to the original Stuxnet code.In fact, the driver’s code used for the injection attack, is very similar to Stuxnet, as well as several encryption keys, and techniques that were used in Stuxnet.
- Duqu and Stuxnet both use a kernel driver to decrypt and load encrypted DLL (Dynamic Load Library) files. The kernel drivers serve as an "injection" engine to load these DLLs into a specific process. This technique is not unique to either Duqu or Stuxnet and has been observed in other unrelated threats.
- Encrypted DLL files are stored using the .PNF extension. This is normally the extension Microsoft Windows uses for precompiled setup information files. The commonality exists due to the kernel driver implementation being similar.
- The kernel drivers for both Stuxnet and Duqu use many similar techniques for encryption and stealth, such as a rootkit for hiding files. Again, these techniques are not unique to either Duqu or Stuxnet and have been observed in other unrelated threats.
- Both Stuxnet and Duqu have variants where the kernel driver file is digitally signed using a software signing certificate. One variant of the Duqu kernel driver was signed by a certificate from C-Media Electronics Incorporation.
An unsigned Duqu kernel driver claimed to be a driver from the JMicron Technology Company, which was the same company whose software signing certificate was used to sign one of the Stuxnet kernel driver files.
The commonality of a software signing certificate is insufficient evidence to conclude the samples are related because compromised signing certificates can be obtained from a number of sources. One would have to prove the sources are common to draw a definitive conclusion.