Security Experts:

Kaspersky Lab: Duqu Framework Likely Written in an Unknown Programming Language

Duqu's Uknown Programming Language

Kaspersky Lab Researchers Say Parts of Duqu Are Written in an Unknown Programming Language, Uses Asynchronous Commutations

Duqu, sometimes referred to as “Son of Stuxnet”, surfaced in October 2010 and has been the subject of considerable industry research as experts attempt to unveil more details on the mystery and origin of the malware. Duqu was designed to help attackers infiltrate systems via backdoor access and steal information and data primarily from industrial control systems and corporate secrets. In other words, the ultimate cyber-espionage weapon.

But Duqu, which shares many similarities to Stuxnet and is assumed to be from the same creators, is also quite different. There have been different assumptions and debates since Duqu’s discovery.

This week, however, Kaspersky Lab Researchers have shared some new and fascinating findings in relation to certain components of the complex malware. The Moscow-based security firm, which has published a number of discoveries and detailed research on Duqu over the past several months, says that unlike the majority of Duqu’s body, its framework appears to be written in an unknown programming language.

The Kaspersky team has been able to eliminate just about every popular programming language. It’s not C++, Objective C, Java, Python, Ada, Lua or any of the many programming languages that the Kaspersky Lab checked.

Why would this be the case? “Given the size of the Duqu project, it is possible that another team was responsible for the framework than the team which created the drivers and wrote the system infection and exploits,” Igor Soumenkov, a Kaspersky Lab expert explained.

The main component in question is the Payload DLL, part of which is used by the Trojan to communicate with its Command and Control (C&C) servers after infecting a system.

Whatever programming language was used in the Duqu framework is highly specialized, the researchers say. “It enables the Payload DLL to operate independently of the other Duqu modules and connects it to its dedicated C&C through several paths including Windows HTTP, network sockets and proxy servers. It also allows the Payload DLL to process HTTP server requests from the C&C directly, stealthily transmits copies of stolen information from the infected machine to the C&C, and can even distribute additional malicious payload to other machines on the network, which creates a controlled and discreet form of spreading infections to other computers.”

“It is possible that its authors used an in-house framework to generate intermediary C code, or they used another completely different programming language,” Soumenkov explained.

Duqu FrameworkFor reference, Stuxnet was written entirely in Microsoft Visual C++.

The Kaspersky researchers say certain “slices” of code in the Payload DLL may have been initially compiled in separate object files before being linked in a single DLL, but the slice in question is different. “This slice is different from others, because it was not compiled from C++ sources. It contains no references to any standard or user-written C++ functions.”

But there a few things the researchers do know about the mystery code: It’s object-oriented and event driven, and performs its own set of related activities ideal for network applications.

The highly event driven architecture points to code which was designed to be used in variety of conditions, including asynchronous commutations.

So what’s so important about asynchronous commutations?

“This model makes sure that any form of communication can still occur even when some communications are already happening and could be taking a long time,” Roel Schouwenberg, senior researcher at Kaspersky Lab told SecurityWeek. “Most programs out there hang or freeze if a certain operation is taking too long, much like your browser or email client may do at times. Using this asynchronous model means there's no chance of that happening with Duqu.”

“The authors built an extremely resilient platform for that, ensuring Duqu, for instance, can still receive C&C commands while waiting for a response from another infected machine,” he added.

“The creation of a dedicated programming language demonstrates just how highly skilled the developers working on the project are, and points to the significant financial and labor resources that have been mobilized to ensure the project is implemented,” said Alexander Gostev, Chief Security Expert at Kaspersky Lab.

Many interpret that as Duqu being a state-sponsored undertaking, as is assumed to be the case with Stuxnet.

At this point, Kaspersky Lab researchers are calling out to the programming community and asking for help. They hope that anyone who recognizes the framework, toolkit or the programming language that can generate similar code constructions, will reach out to help solve this next piece of the duqu puzzle.

“We've gotten a number of interesting suggestions, including libevent, RoseRT and a custom C framework. Right now we're investigating these new suggestions and seeing if we can find a match,” Schouwenberg said. “We're trying to find out now if they indeed went through the trouble of creating a new programming language or if it's something which already exists, but simply unknown to us.”

A detailed technical analysis of Kaspersky’s discoveries is available here. For those who may have suggestions, you can contact the Kaspersky team at “stopduqu@kaspersky.com”.