{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,28]],"date-time":"2026-05-28T02:26:42Z","timestamp":1779935202337,"version":"3.53.1"},"reference-count":32,"publisher":"MDPI AG","issue":"4","license":[{"start":{"date-parts":[[2012,11,6]],"date-time":"2012-11-06T00:00:00Z","timestamp":1352160000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/3.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>Stuxnet was the first targeted malware that received worldwide attention forcausing physical damage in an industrial infrastructure seemingly isolated from the onlineworld. Stuxnet was a powerful targeted cyber-attack, and soon other malware samples were discovered that belong to this family. In this paper, we will first present our analysis of Duqu, an information-collecting malware sharing striking similarities with Stuxnet. Wedescribe our contributions in the investigation ranging from the original detection of Duquvia finding the dropper file to the design of a Duqu detector toolkit. We then continue with the analysis of the Flame advanced information-gathering malware. Flame is unique in thesense that it used advanced cryptographic techniques to masquerade as a legitimate proxyfor the Windows Update service. We also present the newest member of the family, called Gauss, whose unique feature is that one of its modules is encrypted such that it can onlybe decrypted on its target system; hence, the research community has not yet been able to analyze this module. For this particular malware, we designed a Gauss detector serviceand we are currently collecting intelligence information to be able to break its very specialencryption mechanism. Besides explaining the operation of these pieces of malware, wealso examine if and how they could have been detected by vigilant system administrators manually or in a semi-automated manner using available tools. Finally, we discuss lessonsthat the community can learn from these incidents. We focus on technical issues, and avoidspeculations on the origin of these threats and other geopolitical questions.<\/jats:p>","DOI":"10.3390\/fi4040971","type":"journal-article","created":{"date-parts":[[2012,11,6]],"date-time":"2012-11-06T11:18:13Z","timestamp":1352200693000},"page":"971-1003","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":143,"title":["The Cousins of Stuxnet: Duqu, Flame, and Gauss"],"prefix":"10.3390","volume":"4","author":[{"given":"Boldizs\u00e1r","family":"Bencs\u00e1th","sequence":"first","affiliation":[{"name":"Laboratory of Cryptography and System Security (CrySyS Lab), Department of Telecommunications, Budapest University of Technology and Economics, Magyar tu\u00f3sok krt 2, 1521 Budapest, Hungary"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"G\u00e1bor","family":"P\u00e9k","sequence":"additional","affiliation":[{"name":"Laboratory of Cryptography and System Security (CrySyS Lab), Department of Telecommunications, Budapest University of Technology and Economics, Magyar tu\u00f3sok krt 2, 1521 Budapest, Hungary"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Levente","family":"Butty\u00e1n","sequence":"additional","affiliation":[{"name":"Laboratory of Cryptography and System Security (CrySyS Lab), Department of Telecommunications, Budapest University of Technology and Economics, Magyar tu\u00f3sok krt 2, 1521 Budapest, Hungary"},{"name":"Information Systems Research Group, Budapest University of Technology andEconomics, Magyar tud\u00f3sok krt 2, 1117 Budapest, Hungary"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"M\u00e1rk","family":"F\u00e9legyh\u00e1zi","sequence":"additional","affiliation":[{"name":"Laboratory of Cryptography and System Security (CrySyS Lab), Department of Telecommunications, Budapest University of Technology and Economics, Magyar tu\u00f3sok krt 2, 1521 Budapest, Hungary"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2012,11,6]]},"reference":[{"key":"ref_1","unstructured":"Falliere, N., Murchu, L.O., and Chien, E. (2011). W32.Stuxnet Dossier; Symantec Security Response, Symantec."},{"key":"ref_2","unstructured":"Building a Cyber Secure Plant. Available online:http:\/\/www.totallyintegratedautomation.com\/2010\/09\/building-a-cyber-secure-plant\/."},{"key":"ref_3","unstructured":"Symantec Security Response. Available online:http:\/\/www.symantec.com\/connect\/blogs\/w32flamer-leveraging-microsoft-digital-certificates."},{"key":"ref_4","unstructured":"(2012). Gauss: Abnormal Distribution; Technical Report, Kapsersky Lab."},{"key":"ref_5","unstructured":"Bencs\u00e1th, B., P\u00e9k, G., Butty\u00e1n, L., and F\u00e9legyh\u00e1zi, M. (2012, January 10). Duqu: Analysis, Detection, and Lessons Learned. Proceedings of the ACM European Workshop on System Security (EuroSec), Bern, Switzerland."},{"key":"ref_6","unstructured":"(2011). W32.Duqu: The Precursor to the Next Stuxnet; Technical Report Version 1.0, Symantec."},{"key":"ref_7","unstructured":"Symantec Security Response. Available online:http:\/\/www.symantec.com\/connect\/blogs\/duqu-status-update-1."},{"key":"ref_8","unstructured":"Available online:http:\/\/technet.microsoft.com\/en-us\/security\/bulletin\/ms11-087."},{"key":"ref_9","unstructured":"(2012). Duqu Detector, version 1.24, CrySyS Lab."},{"key":"ref_10","unstructured":"Bencs\u00e1th, B., P\u00e9k, G., Butty\u00e1n, L., and F\u00e9legyh\u00e1zi, M. (2011). Duqu: A Stuxnet-Like Malware Found in the Wild;Technical Report Version 0.93 , CrySyS Lab."},{"key":"ref_11","unstructured":"(2011). W32.Duqu: The Precursor to the Next Stuxnet; Technical Report Version 1.4, Symantec."},{"key":"ref_12","unstructured":"Gostev, A., and Soumenkov, I. (2011). Stuxnet\/Duqu: The Evolution of Drivers, Technical Report, Kaspersky Lab."},{"key":"ref_13","unstructured":"(2012). sKyWIper: A Complex Malware for Targeted Attacks; Technical Report Version 1.0, CrySyS Lab."},{"key":"ref_14","unstructured":"Gostev, A. Flame: Bunny, Frog, Munch and BeetleJuice. Available online:http:\/\/www.securelist.com\/en\/blog\/208193538\/Flame Bunny Frog Munch and BeetleJuice."},{"key":"ref_15","unstructured":"Sotirov, A. Analyzing the MD5 Collision in Flame. Available online:https:\/\/speakerdeck.com\/ asotirov\/analyzing-the-md5-collision-in-flame."},{"key":"ref_16","unstructured":"Santamarta, R. Inside Flame: You Say Shell32,I Say MSSECMGR. Available online:http:\/\/blog.ioactive.com\/2012\/06\/inside-flame-you-say-shell32-i-say.html."},{"key":"ref_17","unstructured":"Ligh, M.H. QuickPost: Flame & Volatility. Available online:http:\/\/mnin.blogspot.hu\/2012\/06\/quickpost-flame-volatility.html."},{"key":"ref_18","unstructured":"Sotirov, A., Stevens, M., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., and de Weger, B. MD5 considered harmful today\u2014Creating a rogue CA certificate. Available online:http:\/\/www.win.tue.nl\/hashclash\/rogue-ca\/."},{"key":"ref_19","unstructured":"Stevens, M. Technical Background on the Flame Collision Attack. Available online:http:\/\/www.cwi.nl\/news\/2012\/cwi-cryptanalist-discovers-new-cryptographic-attack-variant-in-flame-spy-malware."},{"key":"ref_20","unstructured":"The Mystery of the Encrypted Gauss Payload. Available online:http:\/\/www.securelist.com\/en\/blog\/208193781\/The Mystery of the Encrypted Gauss Payload."},{"key":"ref_21","unstructured":"(2012). Gauss Info Collector, version 1, CrySyS Lab."},{"key":"ref_22","unstructured":"Freiling, F.C., and Schwittay, B. (2007, January 11\u201312). Towards reliable rootkit detection in live response. Proceedings of the International Conference on IT-Incidents Management and IT-Forensics (IMF), Stuttgart, Germany."},{"key":"ref_23","unstructured":"Russinowich, M., and Cogswell, B. Process Monitor. Available online:http:\/\/technet.microsoft.com\/en-us\/sysinternals\/bb896645.aspx."},{"key":"ref_24","unstructured":"Russinowich, M. Process Explorer. Available online:http:\/\/technet.microsoft.com\/en-us\/sysinternals\/bb896653.aspx."},{"key":"ref_25","unstructured":"Russinowich, M., and Cogswell, B. VMMap v3.11. Available online:http:\/\/technet.microsoft.com\/en-us\/sysinternals\/dd535533.aspx."},{"key":"ref_26","unstructured":"Batler, J. Virus:W32\/Alman.B. Available online:http:\/\/www.f-secure.com\/v-descs\/fu.shtml."},{"key":"ref_27","unstructured":"XueTr Download Page. Available online:http:\/\/www.xuetr.com\/download."},{"key":"ref_28","unstructured":"Provos, N., and Holz, T. (2007). Virtual Honeypots: From Botnet Tracking to Intrusion Detection, Addison-Wesley Professional."},{"key":"ref_29","unstructured":"Holz, T., and Raynal, F. (2005, January 15\u201317). Detecting honeypots and other suspicious environments. Proceedings of the Sixth Annual IEEE SMC Information Assurance Workshop, West Point, NY, USA."},{"key":"ref_30","unstructured":"Available online:http:\/\/technet.microsoft.com\/en-us\/security\/bulletin\/ms12-034."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Vigna, G. (1999). Mobile Agents and Security, Springer.","DOI":"10.1007\/3-540-68671-1"},{"key":"ref_32","unstructured":"Filiol, E. (May,, January 30). Strong cryptography armoured computer viruses forbidding code analysis: The Bradley virus. Proceedings of the 14th European Institute for Computer Antivirus Research (EICAR) Conference, Valletta, Malta."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/4\/4\/971\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T21:53:20Z","timestamp":1760219600000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/4\/4\/971"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2012,11,6]]},"references-count":32,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2012,12]]}},"alternative-id":["fi4040971"],"URL":"https:\/\/doi.org\/10.3390\/fi4040971","relation":{},"ISSN":["1999-5903"],"issn-type":[{"value":"1999-5903","type":"electronic"}],"subject":[],"published":{"date-parts":[[2012,11,6]]}}}