Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Mystery of Programming Language Used in Duqu Framework Solved

The mystery of Duqu Framework solved

The mystery of Duqu Framework solved

Earlier this month, researchers from Kaspersky Lab reached out to the security and programming community in an effort to help solve a mystery related to “Duqu”, the Trojan often referred to as “Son of Stuxnet”, which surfaced in October 2010.

The mystery rested in a section of code written in an unknown programming language and used in the Duqu Framework, a portion of the Payload DLL used by the Trojan to interact with Command & Control (C&C) servers after the malware infected a system.

While Kaspersky Lab, as well as other vendors and researchers, have produced significant research on the malware since its discovery, a certain component of the malware baffled researchers and analysts, ultimately triggering the Moscow-based security firm to reach out for help.

Less than two weeks later, Kaspersky Lab experts now say with a high degree of certainty that the Duqu framework was written using a custom object-oriented extension to C, generally called “OO C” and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) with special options for optimizing code size and inline expansion.

In its earlier research, Kaspersky had been able to eliminate just about every popular programming language, but did know that whatever was used, was highly specialized and enabled the Payload DLL to operate independently of the other Duqu modules and connect to a C&C server through several paths including Windows HTTP, network sockets and proxy servers.

During a live online web-conference this morning, Vitaly Kamluk, chief malware analyst at Kaspersky Lab, said that the framework could have been reused from an existing software project, something common for professional software developers, but unique for malware writers.

Why did the authors of Duqu use OO C? While there is no easy explanation why OO C was used instead of C++ for the Duqu Framework, Kaspersky experts say there are two reasonable causes that support its use:

· More control over the code: When C++ was published, many old school programmers preferred to stay away from it because of distrust in memory allocation and other obscure language features which cause indirect execution of code. OO C would provide a more reliable framework with less opportunity for unexpected behavior.

· Extreme portability: About 10-12 years ago C++ was not entirely standardized and it was possible to have C++ code that was not interoperable with every compiler. Using C provides programmers with extreme portability since it’s capable of targeting every existing platform at any time without facing the limitations associated with C++.

“These two reasons indicate that the code was written by a team of experienced ‘old-school’ developers who wanted to create a customized framework to support a highly flexible and adaptable attack platform. The code could have been reused from previous cyber-operations and customized to integrate into the Duqu Trojan,” noted Igor Soumenkov, Chief Malware Expert at Kaspersky Lab. “However, one thing is certain: these techniques are normally seen by elite software developers and almost never in today’s general malware.”

“Once again, these indicate that Duqu, just like Stuxnet, is a ‘one of a kind’ piece of malware which stands out like a gem from the large mass of ‘dumb’ malicious program we normally see,” Soumenkov concluded.

A blog post by Igor Soumenkov with additional details on the code analysis is available here.

Related: Same Platform Used to Develop Stuxnet and Duqu Created other Malware

Related: India Seizes Servers Linked to Duqu as Experts Question its Relation to Stuxnet

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.