Kaspersky Lab Experts Discover Unknown Programming Language in the Duqu Trojan; Appeal to Programming Community for Support in Analysis
The anti-malware experts at Kaspersky Lab have discovered that part of the Duqu Trojan was written in an unknown programming language.
Duqu is a sophisticated Trojan that was created by the same people who created the infamous Stuxnet worm. Its main purpose is to act as a backdoor into the system and facilitate the theft of private information. Duqu was first detected in September 2011, but according to Kaspersky Lab data, the first trace of Duqu-related malware dates back to August 2007. The company’s experts have recorded over a dozen incidents involving Duqu, with the vast majority of victims located in Iran. An analysis of the victim organizations’ activities and the nature of the information targeted by the Duqu authors clearly suggest the main goal of the attacks was to steal information about industrial control systems used in a number of industries as well as gathering intelligence about the commercial relations of a whole range of Iranian organizations.
The big unsolved mystery of the Duqu Trojan relates to how the malicious program was communicating with its Command and Control (C&C) servers once it infected a victim’s machine. The Duqu module that was responsible for interacting with the C&Cs is part of its Payload DLL. After a comprehensive analysis of the Payload DLL, Kaspersky Lab researchers have discovered that a specific section inside the Payload DLL, which communicates exclusively with the C&Cs, was written in an unknown programming language. Kaspersky Lab researchers have named this unknown section the “Duqu Framework.”
Unlike the rest of Duqu, the Duqu Framework is not written in C++ and it's not compiled with Microsoft's Visual C++ 2008. It is possible that its authors used an in-house framework to generate intermediary C code, or they used another completely different programming language. However, Kaspersky Lab researchers have confirmed that the language is object-oriented and performs its own set of related activities that are suitable for network applications.
The language in the Duqu Framework is highly specialized. It enables the Payload DLL to operate independently of the other Duqu modules and connects it to its dedicated C&C through several paths including Windows HTTP, network sockets and proxy servers. It also allows the Payload DLL to process HTTP server requests from the C&C directly, stealthily transmits copies of stolen information from the infected machine to the C&C, and can even distribute additional malicious payload to other machines on the network, which creates a controlled and discreet form of spreading infections to other computers. A full description of the analysis and its related data can be found at Securelist, Kaspersky Lab’s research site.
“Given the size of the Duqu project, it’s possible that an entirely different team was responsible for creating the Duqu Framework as opposed to the team which created the drivers and wrote the system infection exploits,” said Alexander Gostev, Chief Security Expert at Kaspersky Lab. “With the extremely high level of customization and exclusivity that the programming language was created with, it is also possible that it was made not only to prevent external parties from understanding the cyber-espionage operation and the interactions with the C&Cs, but also to keep it separate from other internal Duqu teams who were responsible for writing the additional parts of the malicious program.”
According to Alexander Gostev, the creation of a dedicated programming language demonstrates just how highly skilled the developers working on the project are, and points to the significant financial and labor resources that have been mobilized to ensure the project is implemented.
Kaspersky Lab would like to make an appeal to the programming community and ask anyone who recognizes the framework, toolkit or the programming language that can generate similar code constructions, to please contact our experts.
We are confident that with your help we can solve this deep mystery in the Duqu saga.
The full version of the Duqu Framework analysis by Igor Soumenkov and Costin Raiu can be found on here on Securelist.
Kaspersky Lab Experts Discover Unknown Programming Language in the Duqu Trojan; Appeal to Programming Community for Support in Analysis
Kaspersky
Related Articles Virus News
Turkey, Russia, Southeast Asia and Latin America hit by Android threats, Kaspersky identifies
Three new dangerous Android malware variants have been analyzed by Kaspersky researchers. The Tambir, Dwphon, and Gigabud malicious programs exhibit diverse features, ranging from downloading other programs and credential theft to bypassing two-factor authentication (2FA) and screen recording, jeopardizing user privacy and security.Read More >Targeted ransomware groups have grown in numbers and sophistication, say Kaspersky experts
An in-depth research by Kaspersky experts shows a surge in the number of targeted ransomware groups globally by 30% from 2022 to 2023. In parallel to this increase, the number of victims of targeted ransomware attacks spiked by 70% within the same time period. These insights were shared at Kaspersky’s ninth annual Cyber Security Weekend – META, which took place in Kuala Lumpur.Read More >‘Coyote’ ugly: Kaspersky unveils banking trojan targeting over 60 institutions
A new sophisticated banking Trojan that steals sensitive financial information and introduces advanced tactics to avoid detection has been discovered by Kaspersky's Global Research and Analysis Team (GReAT). Dubbed 'Coyote,' this malware relies on the Squirrel installer for distribution, its name drawing inspiration from coyotes, the natural predators of squirrels.Read More >
We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.