Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Mystery of Programming Language Used in Duqu Framework Solved

The mystery of Duqu Framework solved

The mystery of Duqu Framework solved

Earlier this month, researchers from Kaspersky Lab reached out to the security and programming community in an effort to help solve a mystery related to “Duqu”, the Trojan often referred to as “Son of Stuxnet”, which surfaced in October 2010.

The mystery rested in a section of code written in an unknown programming language and used in the Duqu Framework, a portion of the Payload DLL used by the Trojan to interact with Command & Control (C&C) servers after the malware infected a system.

While Kaspersky Lab, as well as other vendors and researchers, have produced significant research on the malware since its discovery, a certain component of the malware baffled researchers and analysts, ultimately triggering the Moscow-based security firm to reach out for help.

Less than two weeks later, Kaspersky Lab experts now say with a high degree of certainty that the Duqu framework was written using a custom object-oriented extension to C, generally called “OO C” and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) with special options for optimizing code size and inline expansion.

In its earlier research, Kaspersky had been able to eliminate just about every popular programming language, but did know that whatever was used, was highly specialized and enabled the Payload DLL to operate independently of the other Duqu modules and connect to a C&C server through several paths including Windows HTTP, network sockets and proxy servers.

During a live online web-conference this morning, Vitaly Kamluk, chief malware analyst at Kaspersky Lab, said that the framework could have been reused from an existing software project, something common for professional software developers, but unique for malware writers.

Why did the authors of Duqu use OO C? While there is no easy explanation why OO C was used instead of C++ for the Duqu Framework, Kaspersky experts say there are two reasonable causes that support its use:

· More control over the code: When C++ was published, many old school programmers preferred to stay away from it because of distrust in memory allocation and other obscure language features which cause indirect execution of code. OO C would provide a more reliable framework with less opportunity for unexpected behavior.

Advertisement. Scroll to continue reading.

· Extreme portability: About 10-12 years ago C++ was not entirely standardized and it was possible to have C++ code that was not interoperable with every compiler. Using C provides programmers with extreme portability since it’s capable of targeting every existing platform at any time without facing the limitations associated with C++.

“These two reasons indicate that the code was written by a team of experienced ‘old-school’ developers who wanted to create a customized framework to support a highly flexible and adaptable attack platform. The code could have been reused from previous cyber-operations and customized to integrate into the Duqu Trojan,” noted Igor Soumenkov, Chief Malware Expert at Kaspersky Lab. “However, one thing is certain: these techniques are normally seen by elite software developers and almost never in today’s general malware.”

“Once again, these indicate that Duqu, just like Stuxnet, is a ‘one of a kind’ piece of malware which stands out like a gem from the large mass of ‘dumb’ malicious program we normally see,” Soumenkov concluded.

A blog post by Igor Soumenkov with additional details on the code analysis is available here.

Related: Same Platform Used to Develop Stuxnet and Duqu Created other Malware

Related: India Seizes Servers Linked to Duqu as Experts Question its Relation to Stuxnet

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.