First signs that Stuxnet was part of a larger family of malicious software, or malware, came with the discovery in September 2010 of Duqu, a specialized espionage program. Duqu appears to be designed to zero in on industrial secrets related to Stuxnet's target, and its code contains digital fingerprints akin to some in Stuxnet, indicating it was created with some of the same source code. Stuxnet's mission, much of it now decoded, was to wreak havoc on Iran's ability to refine nuclear fuel using centrifuges.
"We've done the same analysis Kaspersky has, and seen the same timelines, dates, encryption keys," says Liam O Murchu, manager of operations for Symantec Security Response, in a phone interview. "We think Stuxnet and Duqu are made by the same team, with the same goal.... They can change [the software weapon produced on the common platform], manipulate it, have different payloads."
Using a common malware "platform," or "framework," system can be likened to an auto factory building an exotic car, like a Lamborghini. There are a lot of common parts, but also a bit of artistry. There may be a common frame and engine, but other code has been hand-tooled by expert engineers, Mr. Raiu and Mr. O Murchu agree.
That common platform – for Stuxnet, Duqu, and the rest – is a way to reuse software that was expensive to develop. But it also allows for faster assembly of existing modules into full-blown cyberweapons, which can then be tweaked to sabotage a new industrial control system target or to evade detection.
"Let's imagine you want to steal documents," Raiu adds. "You don't need the sort of sabotage capability built into Stuxnet, so you take that off. Instead, you use the same platform to create targeted malware, but perhaps focusing on espionage instead. That's Duqu."