Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Mystery of Programming Language Used in Duqu Framework Solved

The mystery of Duqu Framework solved

The mystery of Duqu Framework solved

Earlier this month, researchers from Kaspersky Lab reached out to the security and programming community in an effort to help solve a mystery related to “Duqu”, the Trojan often referred to as “Son of Stuxnet”, which surfaced in October 2010.

The mystery rested in a section of code written in an unknown programming language and used in the Duqu Framework, a portion of the Payload DLL used by the Trojan to interact with Command & Control (C&C) servers after the malware infected a system.

While Kaspersky Lab, as well as other vendors and researchers, have produced significant research on the malware since its discovery, a certain component of the malware baffled researchers and analysts, ultimately triggering the Moscow-based security firm to reach out for help.

Less than two weeks later, Kaspersky Lab experts now say with a high degree of certainty that the Duqu framework was written using a custom object-oriented extension to C, generally called “OO C” and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) with special options for optimizing code size and inline expansion.

In its earlier research, Kaspersky had been able to eliminate just about every popular programming language, but did know that whatever was used, was highly specialized and enabled the Payload DLL to operate independently of the other Duqu modules and connect to a C&C server through several paths including Windows HTTP, network sockets and proxy servers.

During a live online web-conference this morning, Vitaly Kamluk, chief malware analyst at Kaspersky Lab, said that the framework could have been reused from an existing software project, something common for professional software developers, but unique for malware writers.

Why did the authors of Duqu use OO C? While there is no easy explanation why OO C was used instead of C++ for the Duqu Framework, Kaspersky experts say there are two reasonable causes that support its use:

· More control over the code: When C++ was published, many old school programmers preferred to stay away from it because of distrust in memory allocation and other obscure language features which cause indirect execution of code. OO C would provide a more reliable framework with less opportunity for unexpected behavior.

Advertisement. Scroll to continue reading.

· Extreme portability: About 10-12 years ago C++ was not entirely standardized and it was possible to have C++ code that was not interoperable with every compiler. Using C provides programmers with extreme portability since it’s capable of targeting every existing platform at any time without facing the limitations associated with C++.

“These two reasons indicate that the code was written by a team of experienced ‘old-school’ developers who wanted to create a customized framework to support a highly flexible and adaptable attack platform. The code could have been reused from previous cyber-operations and customized to integrate into the Duqu Trojan,” noted Igor Soumenkov, Chief Malware Expert at Kaspersky Lab. “However, one thing is certain: these techniques are normally seen by elite software developers and almost never in today’s general malware.”

“Once again, these indicate that Duqu, just like Stuxnet, is a ‘one of a kind’ piece of malware which stands out like a gem from the large mass of ‘dumb’ malicious program we normally see,” Soumenkov concluded.

A blog post by Igor Soumenkov with additional details on the code analysis is available here.

Related: Same Platform Used to Develop Stuxnet and Duqu Created other Malware

Related: India Seizes Servers Linked to Duqu as Experts Question its Relation to Stuxnet

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

Robert Shaker II has joined application security firm ActiveState as Chief Product and Technology Officer.

MorganFranklin Cyber has promoted Nick Stallone and Ferdinand Hamada into newly created roles.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.