Duqu Trojan Built By "Old School" Programmers, Kaspersky Says
The Duqu Trojan, an espionage tool that last year attracted lots of attention for its many Stuxnet-like features, may have been written by experienced old school programmers, a security researcher at Kaspersky Labs said Monday.
Mon, March 19, 2012
Computerworld — The use of a little used programming language to create part of the the Duqu trojan, an espionage tool that last year attracted lots of attention for its many Stuxnet-like features, indicates that it may have been written by experienced, old school programmers, a security researcher at Kaspersky Labs said Monday.
In a blog post today, Kaspersky security researcher Igor Soumenkov said Duqu's command and control (C&C) component appears to have been developed using Object Oriented C (OO C), a somewhat archaic custom extension to the C programming language.
While most of Duqu was written in the C++ language and compiled with Microsoft's Visual C++ 2008, the C&C module was written in pure C and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) using two specific options to keep the code small.
The choice of language suggests that at least some Duqu developers started programming at a time when Assembler was their language of choice and then moved to C when it became more fashionable, Soumenkov said.
"When C++ was published, many old school programmers preferred to stay away from it because of distrust," he added.
Duqu , a remote access Trojan created to steal data from industrial control systems, was discovered last November by the Laboratory of Cryptography and Systems Security (CrySys) in Budapest. The malware attracted considerable attention because of similarities to the Stuxnet virus that disrupted operations at Iran's Natanz nuclear facility in 2010.
Many researchers have speculated that the two pieces of malware may have been written by the same authors, though with slightly different goals in mind.
Stuxnet was designed to physically damage industrial control equipment while Duqu was designed mostly to steal data from industrial control systems in order to attack them later.
Though opinions about the severity of the threat posed by Duqu varied, many researchers considered the malware to be the work of sophisticated, well-funded, and likely government-supported, hackers.
Earlier this month, Soumenkov said in a blog post that Kaspersky Labs had found an interesting anomaly in a component of Duqu that was used to communicate with command and control servers -- unlike the rest of Duqu, it was not written in C++ and was not compiled using Visual C++ 2008.
"The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages we have checked," Soumenknov had noted. In the post, Soumnenkov asked for help identifying frameworks, toolkits or programming languages that could generate such Duqu-like code.