Earlier this month, researchers from Kaspersky Lab reached out to the security and programming community in an effort to help solve a mystery related to “Duqu”, the Trojan often referred to as “Son of Stuxnet”, which surfaced in October 2010.
The mystery rested in a section of code written in an unknown programming language and used in the Duqu Framework, a portion of the Payload DLL used by the Trojan to interact with Command & Control (C&C) servers after the malware infected a system.
While Kaspersky Lab, as well as other vendors and researchers, have produced significant research on the malware since its discovery, a certain component of the malware baffled researchers and analysts, ultimately triggering the Moscow-based security firm to reach out for help.
Less than two weeks later, Kaspersky Lab experts now say with a high degree of certainty that the Duqu framework was written using a custom object-oriented extension to C, generally called “OO C” and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) with special options for optimizing code size and inline expansion.
In its earlier research, Kaspersky had been able to eliminate just about every popular programming language, but did know that whatever was used, was highly specialized and enabled the Payload DLL to operate independently of the other Duqu modules and connect to a C&C server through several paths including Windows HTTP, network sockets and proxy servers.
During a live online web-conference this morning, Vitaly Kamluk, chief malware analyst at Kaspersky Lab, said that the framework could have been reused from an existing software project, something common for professional software developers, but unique for malware writers.
Why did the authors of Duqu use OO C? While there is no easy explanation why OO C was used instead of C++ for the Duqu Framework, Kaspersky experts say there are two reasonable causes that support its use:
· More control over the code: When C++ was published, many old school programmers preferred to stay away from it because of distrust in memory allocation and other obscure language features which cause indirect execution of code. OO C would provide a more reliable framework with less opportunity for unexpected behavior.
· Extreme portability: About 10-12 years ago C++ was not entirely standardized and it was possible to have C++ code that was not interoperable with every compiler. Using C provides programmers with extreme portability since it’s capable of targeting every existing platform at any time without facing the limitations associated with C++.
“These two reasons indicate that the code was written by a team of experienced ‘old-school’ developers who wanted to create a customized framework to support a highly flexible and adaptable attack platform. The code could have been reused from previous cyber-operations and customized to integrate into the Duqu Trojan,” noted Igor Soumenkov, Chief Malware Expert at Kaspersky Lab. “However, one thing is certain: these techniques are normally seen by elite software developers and almost never in today’s general malware.”
“Once again, these indicate that Duqu, just like Stuxnet, is a ‘one of a kind’ piece of malware which stands out like a gem from the large mass of ‘dumb’ malicious program we normally see,” Soumenkov concluded.
A blog post by Igor Soumenkov with additional details on the code analysis is available here.