by Kerry Butters
Duqu written in mystery code
Security experts at Kaspersky have discovered that part of the C&C code for Duqu is written in an unknown programming language. The code was found in the payload dll and it’s thought to be the main component of the Trojan, which is used to contact C&C servers to receive additional instructions.
Whilst much of the payload dll coding is commonly found in languages such as C++, the code contains ‘slices’, one of which is different from the others as it wasn’t written using C++ sources.
“It contains no references to any standard or user-written C++ functions, but is definitely object-oriented. We call it the Duqu Framework,” Kaspersky said in a blog published asking the coding community for help.
Duqu, dubbed ‘son of Stuxnet’ last year due to its similarity to the Stuxnet worm, is thought to have been written by the same culprits as those responsible for the above worm which targeted Iranian nuclear plants.
The Duqu code was found to have striking similarities when it appeared, although it seemed to perform more of a ‘smash and grab’ function than Stuxnet, as it was found to be surreptitiously stealing information.
It seems that although the experts at Kaspersky understand what the mystery code in Duqu does, they don’t know how, as the code is unrecognisable. The payload dll operates in a number of ways and through various ports, ensuring that it can communicate with the C&C centre in order to transfer stolen data and infect further machines.
Duqu appears to have been constructed by a team and it is thought that a lot of financial input has gone into the project.
This would suggest that the trojan has been created by someone with a large amount of resources, both financial and technical and it has been put forward by more than one security expert that it has been created by a country, rather than cybercriminals.
Kaspersky say that the unknown code is “definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages [they] have checked.”
All of the other code in Duqu is C++ written using Microsoft’s Visual C++ 2008, Stuxnet was written in MSVC++.
A detailed analysis of the code used can be found in a blog post by Igor Soumenkov on the Kaspersky website.
“We would like to make an appeal to the programming community and ask anyone who recognizes the framework, toolkit or the programming language that can generate similar code constructions, to contact us or drop us a comment in this blogpost. We are confident that with your help we can solve this deep mystery in the Duqu story,” the post appealed.
Replies posted to the blog today suggested that code looked suspiciously that that found in “older IBM compilers”.
Coders went on to discuss that Duqu had been a state sponsored project, then IBM would have almost certainly have bid for it, due to a history of similar behaviour. One reply stated that the IBM code “would be very useful in this virus”.
“It can track and monitor all types of communications. It can connect to everything and anything,” the post went on to say.