Duqu trojan built by 'old school' programmers, Kaspersky says
Researcher cites choice of Object Oriented C programming language for critical Duqu component
Computerworld - The use of a little used programming language to create part of the Duqu trojan, an espionage tool that last year attracted lots of attention for its many Stuxnet-like features, indicates that it may have been written by experienced, old school programmers, a security researcher at Kaspersky Labs said Monday.
In a blog post today, Kaspersky security researcher Igor Soumenkov said Duqu's command and control (C&C) component appears to have been developed using Object Oriented C (OO C), a somewhat archaic custom extension to the C programming language.
While most of Duqu was written in the C++ language and compiled with Microsoft's Visual C++ 2008, the C&C module was written in pure C and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) using two specific options to keep the code small.
The choice of language suggests that at least some Duqu developers started programming at a time when Assembler was their language of choice and then moved to C when it became more fashionable, Soumenkov said.
"When C++ was published, many old school programmers preferred to stay away from it because of distrust," he added.
Duqu, a remote access Trojan created to steal data from industrial control systems, was discovered last November by the Laboratory of Cryptography and Systems Security (CrySys) in Budapest. The malware attracted considerable attention because of similarities to the Stuxnet virus that disrupted operations at Iran's Natanz nuclear facility in 2010.
Many researchers have speculated that the two pieces of malware may have been written by the same authors, though with slightly different goals in mind.
Stuxnet was designed to physically damage industrial control equipment while Duqu was designed mostly to steal data from industrial control systems in order to attack them later.
Though opinions about the severity of the threat posed by Duqu varied, many researchers considered the malware to be the work of sophisticated, well-funded, and likely government-supported, hackers.
Earlier this month, Soumenkov said in a blog post that Kaspersky Labs had found an interesting anomaly in a component of Duqu that was used to communicate with command and control servers -- unlike the rest of Duqu, it was not written in C++ and was not compiled using Visual C++ 2008.
"The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages we have checked," Soumenknov had noted. In the post, Soumnenkov asked for help identifying frameworks, toolkits or programming languages that could generate such Duqu-like code.
The request elicited more than 200 comments and over 60 emails from other programmers citing language, including Forth, Erlang, Delphi, OO C and variants of LISP, that could have been used, Soumenkov said.
Three comments and two emails, including one from an anonymous source, helped Kaspersky determine that the code was developed using pure C compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008), he said.
Developers of the Duqu Trojan appear to have reused older code written by top notch 'old school" programmers," Soumenkov noted.
"Such techniques are normally seen in professional software and almost never in today's malware," he said. The manner in which the code was developed suggests that Duqu, like Stuxnet, "is a 'one of a kind' piece of malware which stands out like a gem from the large mass of 'dumb' malicious program we normally see."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- DOJ's charges against China reframe security, surveillance debate
- Hacker indictments against China's military unlikely to change anything
- U.S. to formally accuse Chinese military of hacking
- Cyberattacks could paralyze U.S., former defense chief warns
- The NSA blame game: Singling out RSA diverts attention from others
- Jury still out on FISA court
- Suspected China-based hackers 'Comment Crew' rises again
- Chinese hackers master the art of lying in wait
- Spy court OK'd all U.S. wiretap requests it received in 2012
- Groups denounce FBI plan to require Internet backdoors for wiretaps
Read more about Security in Computerworld's Security Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!