Kaspersky Lab Experts Identify Mysterious Language in the Duqu Trojan; Thanks Programming Community for its Support of the Analysis

19 Mar
Virus News

Kaspersky Lab recently appealed to the programming community for assistance in solving one of the biggest mysteries of the Duqu Trojan, which was identifying an unknown code block located inside a section of the malicious program’s Payload DLL. The unknown code section, titled the “Duqu Framework” was a portion of the Payload DLL that was responsible for interacting with its Command & Control (C&C) servers after the Trojan infected a victim’s machine.

After receiving an incredible amount of helpful feedback from the programming community, Kaspersky Lab experts have stated with a high degree of certainty that the Duqu Framework consists of “C” source code compiled with Microsoft Visual Studio 2008 and special options for optimizing code size and inline expansion. The code was also written with a customized extension for combining object-oriented programming with C, generally referred to as “OO C.”

This kind of in-house programming is highly sophisticated and more commonly found in complex ‘civil’ software projects, rather than contemporary malware.

While there is no easy explanation why OO C was used instead of C++ for the Duqu Framework, there are two reasonable causes that support its use:

  • More control over the code: When C++ was published, many old school programmers preferred to stay away from it because of distrust in memory allocation and other obscure language features which cause indirect execution of code.  OO C would provide a more reliable framework with less opportunity for unexpected behavior.
  • Extreme portability: About 10-12 years ago C++ was not entirely standardized and it was possible to have C++ code that was not interoperable with every compiler. Using C provides programmers with extreme portability since it’s capable of targeting every existing platform at any time without facing the limitations associated with C++. 

“These two reasons indicate that the code was written by a team of experienced ‘old-school’ developers who wanted to create a customized framework to support a highly flexible and adaptable attack platform. The code could have been reused from previous cyber-operations and customized to integrate into the Duqu Trojan,” said Igor Soumenkov, malware expert. “However, one thing is certain: these techniques are normally seen by elite software developers and almost never in today’s general malware.”

Kaspersky Lab would like to thank everyone who participated in the quest to help indentify this unknown code.

To read the full version of the analysis, written by Igor Soumenkov, please visit Securelist.

The analysis includes the technical details of the framework, methods of identification and the knowledgeable comments Kaspersky Lab received that helped solve this piece of the Duqu puzzle.