Duqu trojan built by 'old school' programmers, Kaspersky says
Researcher cites choice of Object Oriented C programming language for critical Duqu component
Computerworld - The use of a little used programming language to create part of the Duqu trojan, an espionage tool that last year attracted lots of attention for its many Stuxnet-like features, indicates that it may have been written by experienced, old school programmers, a security researcher at Kaspersky Labs said Monday.
In a blog post today, Kaspersky security researcher Igor Soumenkov said Duqu's command and control (C&C) component appears to have been developed using Object Oriented C (OO C), a somewhat archaic custom extension to the C programming language.
While most of Duqu was written in the C++ language and compiled with Microsoft's Visual C++ 2008, the C&C module was written in pure C and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) using two specific options to keep the code small.
The choice of language suggests that at least some Duqu developers started programming at a time when Assembler was their language of choice and then moved to C when it became more fashionable, Soumenkov said.
"When C++ was published, many old school programmers preferred to stay away from it because of distrust," he added.
Duqu, a remote access Trojan created to steal data from industrial control systems, was discovered last November by the Laboratory of Cryptography and Systems Security (CrySys) in Budapest. The malware attracted considerable attention because of similarities to the Stuxnet virus that disrupted operations at Iran's Natanz nuclear facility in 2010.
Many researchers have speculated that the two pieces of malware may have been written by the same authors, though with slightly different goals in mind.
Stuxnet was designed to physically damage industrial control equipment while Duqu was designed mostly to steal data from industrial control systems in order to attack them later.
Though opinions about the severity of the threat posed by Duqu varied, many researchers considered the malware to be the work of sophisticated, well-funded, and likely government-supported, hackers.
Earlier this month, Soumenkov said in a blog post that Kaspersky Labs had found an interesting anomaly in a component of Duqu that was used to communicate with command and control servers -- unlike the rest of Duqu, it was not written in C++ and was not compiled using Visual C++ 2008.
"The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages we have checked," Soumenknov had noted. In the post, Soumnenkov asked for help identifying frameworks, toolkits or programming languages that could generate such Duqu-like code.
The request elicited more than 200 comments and over 60 emails from other programmers citing language, including Forth, Erlang, Delphi, OO C and variants of LISP, that could have been used, Soumenkov said.
Three comments and two emails, including one from an anonymous source, helped Kaspersky determine that the code was developed using pure C compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008), he said.
Developers of the Duqu Trojan appear to have reused older code written by top notch 'old school" programmers," Soumenkov noted.
"Such techniques are normally seen in professional software and almost never in today's malware," he said. The manner in which the code was developed suggests that Duqu, like Stuxnet, "is a 'one of a kind' piece of malware which stands out like a gem from the large mass of 'dumb' malicious program we normally see."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- Cyberattacks could paralyze U.S., former defense chief warns
- The NSA blame game: Singling out RSA diverts attention from others
- Jury still out on FISA court
- Suspected China-based hackers 'Comment Crew' rises again
- Chinese hackers master the art of lying in wait
- Spy court OK'd all U.S. wiretap requests it received in 2012
- Groups denounce FBI plan to require Internet backdoors for wiretaps
- South Korea cyberattacks hold lessons for U.S.
- U.S. military networks not prepared for cyberthreats, report warns
- Return of CISPA: Cybersecurity boon or privacy threat?
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- 10 Things Your Next Firewall Must do Next-Generation Firewalls Defined
- Firewall Buyers Guide Operate as the core of your network security infrastructure
- Getting Started With a Zero Trust Approach to Network Security The Traditional Approach to Network Security is Failing. View Now>>
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts