Mystery programming language in Duqu revealed

Researchers believe they have figured out the "mystery" programming language found in the Duqu trojan

Last week, we highlighted the peculiarity of Duqu, a piece of malware security experts believe was coded by the same people who developed Stuxnet, the famed trojan which took measures to disrupt Iran's nuclear weapons program.

In terms of both sophistication and its mission, Stuxnet is widely considered to be the most advanced piece of malware ever discovered. And though Duqu is remarkably similar, it presented a new twist, namely that it incorporated blocks of code written in a programming language that security researchers had never seen before.

Consequently, security researchers at Kapersky Lab reached out to the programming community for help in identifying the programming language Duqu's programmers employed.

Now, a week or so later, the folks over at Kapersky Lab, along with the help and advice from from a number of folks within the programming community, have cracked the code.

Igor Soumenkov of Kapersky Lab highlights their findings, noting that the mysterious and previously unrecognizable framework was created using am OO C framework, a custom variation of C, and was compiled with the Microsoft Visual Studio Compiler 2008.

"So, we can say with a high degree of certainty that the resulting binary was compiled with MSVC 2008 and options /O1 /Ob1 and the input source code was pure C," Soumenkov explained.

Now, there are several open-source “OO C” frameworks available, and some of them produce code constructions that are very similar to those in the Duqu code. The best match we found is SOO (Simple Object Orientation for C), however it could not have been used in Duqu, because it was only published when the Trojan was already in the wild.

...The Payload DLL contains 95 Kbytes of event-driven code written with OO C, a language that has no automatic memory management or safe pointers. This kind of programming is more commonly found in complex ‘civil’ software projects, rather than contemporary malware. Additionally, the whole event-driven architecture must have been developed as a part of the Duqu code or its OOC extension.

As for another issue, why would the Duqu programmers employ OO C as opposed to C++, especially since the programmers of Stuxnet and Duqu use C++ elsewhere throughout their code.

Soumenkov theorizes that the individuals who coded said pieces of malware might be "old school" developers who don't trust C++ entirely. Another theory is that by using OO C, the programmers ensure that the code is much more portable to the extent that C++, back in the day, wasn't as standardized and didn't necessarily compile under every use case.

"If you wanted to go for extreme portability and target every existing platform out there, you’d go with C," Soumenkov added.

All the conclusions above indicate a rather professional team of developers, which appear to be reusing older code written by top “old school” developers. Such techniques are normally seen in professional software and almost never in today’s malware. Once again, these indicate that Duqu, just like Stuxnet, is a “one of a kind” piece of malware which stands out like a gem from the large mass of “dumb” malicious program we normally see.

Not surprisingly, many believe Stuxnet and Duqu is the work of state actors, with many assuming that the US and Israel worked together on on creating the malware.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2012 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)