Antivirus Protection & Internet Security Software
19 Mar 2012Virus News
Kaspersky Lab recently appealed to the programming community for assistance in solving one of the biggest mysteries of the Duqu Trojan, which was identifying an unknown code block located inside a section of the malicious program’s Payload DLL. The unknown code section, titled the “Duqu Framework” was a portion of the Payload DLL that was responsible for interacting with its Command & Control (C&C) servers after the Trojan infected a victim’s machine.
After receiving an incredible amount of helpful feedback from the programming community, Kaspersky Lab experts have stated with a high degree of certainty that the Duqu Framework consists of “C” source code compiled with Microsoft Visual Studio 2008 and special options for optimizing code size and inline expansion. The code was also written with a customized extension for combining object-oriented programming with C, generally referred to as “OO C.”
This kind of in-house programming is highly sophisticated and more commonly found in complex ‘civil’ software projects, rather than contemporary malware.
While there is no easy explanation why OO C was used instead of C++ for the Duqu Framework, there are two reasonable causes that support its use:
“These two reasons indicate that the code was written by a team of experienced ‘old-school’ developers who wanted to create a customized framework to support a highly flexible and adaptable attack platform. The code could have been reused from previous cyber-operations and customized to integrate into the Duqu Trojan,” said Igor Soumenkov, malware expert. “However, one thing is certain: these techniques are normally seen by elite software developers and almost never in today’s general malware.”
Kaspersky Lab would like to thank everyone who participated in the quest to help indentify this unknown code.
To read the full version of the analysis, written by Igor Soumenkov, please visit Securelist.
The analysis includes the technical details of the framework, methods of identification and the knowledgeable comments Kaspersky Lab received that helped solve this piece of the Duqu puzzle.
© 1997 – 2016 Kaspersky Lab
All Rights Reserved. Industry-leading Antivirus Software