Duqu trojan built by 'old school' programmers, Kaspersky says
Researcher cites choice of Object Oriented C programming language for critical Duqu component
Computerworld - The use of a little used programming language to create part of the Duqu trojan, an espionage tool that last year attracted lots of attention for its many Stuxnet-like features, indicates that it may have been written by experienced, old school programmers, a security researcher at Kaspersky Labs said Monday.
In a blog post today, Kaspersky security researcher Igor Soumenkov said Duqu's command and control (C&C) component appears to have been developed using Object Oriented C (OO C), a somewhat archaic custom extension to the C programming language.
While most of Duqu was written in the C++ language and compiled with Microsoft's Visual C++ 2008, the C&C module was written in pure C and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) using two specific options to keep the code small.
The choice of language suggests that at least some Duqu developers started programming at a time when Assembler was their language of choice and then moved to C when it became more fashionable, Soumenkov said.
"When C++ was published, many old school programmers preferred to stay away from it because of distrust," he added.
Duqu, a remote access Trojan created to steal data from industrial control systems, was discovered last November by the Laboratory of Cryptography and Systems Security (CrySys) in Budapest. The malware attracted considerable attention because of similarities to the Stuxnet virus that disrupted operations at Iran's Natanz nuclear facility in 2010.
Many researchers have speculated that the two pieces of malware may have been written by the same authors, though with slightly different goals in mind.
Stuxnet was designed to physically damage industrial control equipment while Duqu was designed mostly to steal data from industrial control systems in order to attack them later.
Though opinions about the severity of the threat posed by Duqu varied, many researchers considered the malware to be the work of sophisticated, well-funded, and likely government-supported, hackers.
Earlier this month, Soumenkov said in a blog post that Kaspersky Labs had found an interesting anomaly in a component of Duqu that was used to communicate with command and control servers -- unlike the rest of Duqu, it was not written in C++ and was not compiled using Visual C++ 2008.
"The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages we have checked," Soumenknov had noted. In the post, Soumnenkov asked for help identifying frameworks, toolkits or programming languages that could generate such Duqu-like code.
The request elicited more than 200 comments and over 60 emails from other programmers citing language, including Forth, Erlang, Delphi, OO C and variants of LISP, that could have been used, Soumenkov said.
Three comments and two emails, including one from an anonymous source, helped Kaspersky determine that the code was developed using pure C compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008), he said.
Developers of the Duqu Trojan appear to have reused older code written by top notch 'old school" programmers," Soumenkov noted.
"Such techniques are normally seen in professional software and almost never in today's malware," he said. The manner in which the code was developed suggests that Duqu, like Stuxnet, "is a 'one of a kind' piece of malware which stands out like a gem from the large mass of 'dumb' malicious program we normally see."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
- DOJ's charges against China reframe security, surveillance debate
- Hacker indictments against China's military unlikely to change anything
- U.S. to formally accuse Chinese military of hacking
- Cyberattacks could paralyze U.S., former defense chief warns
- The NSA blame game: Singling out RSA diverts attention from others
- Jury still out on FISA court
- Suspected China-based hackers 'Comment Crew' rises again
- Chinese hackers master the art of lying in wait
- Spy court OK'd all U.S. wiretap requests it received in 2012
- Groups denounce FBI plan to require Internet backdoors for wiretaps
Read more about Security in Computerworld's Security Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!