Duqu Trojan used 'unknown' programming language: Kaspersky


by Steve Evans| 07 March 2012

Boss Eugene suggests this is more evidence of state involvement

Researchers working for Kaspersky Lab have discovered that the Duqu Trojan, believed to have been written by the people behid the Stuxnet worm, was partly written using a previously unknown programming language.

The Russian security company says this new information could help them discover how the worm was able to communicate with its Command and Control (C&C) servers. The C&C servers essentially tell the worm what to do once it has accessed a system.

Researchers analysed the Payload DLL and found one section was written in an unknown language - it is this section that communicates exclusively with the C&C server, Kaspersky said. They have labelled this section the Duqu Framework.

The Duqu Framework is not written in C++ and it's not compiled with Microsoft's Visual C++ 2008, "but is definitely object-oriented," Igor Soumenkov wrote on the company's blog. "The Duqu Framework appears to have been written in an unknown programming language."

"After having performed countless hours of analysis, we are 100% confident that the Duqu Framework was not programmed with Visual C++. It is possible that its authors used an in-house framework to generate intermediary C code, or they used another completely different programming language," Soumenkov added.

Writing on Twitter, CEO Eugene Kaspersky said that it "seems the state behind Duqu sponsored the development of a new [programming] language."

Alexander Gostev, chief security expert at Kaspersky Lab, expanded on this: "Given the size of the Duqu project, it's possible that an entirely different team was responsible for creating the Duqu Framework as opposed to the team that created the drivers and wrote the system infection exploits."

"With the extremely high level of customisation and exclusivity that the programming language was created with, it is also possible that it was made not only to prevent external parties from understanding the cyber-espionage operation and the interactions with the C&Cs, but also to keep it separate from other internal Duqu teams who were responsible for writing the additional parts of the malicious program," he added.

The sophistication of the worm, and the fact that an entirely new programming language was created for it, points to significant financial and labour resources being behind it. Security experts have suggested that a state must have been involved in its development.

Duqu first emerged in September 2011 and is thought to have been written by the same people behind the infamous Stuxnet worm, which targeted Iran's nuclear facilities and attempted to steal highly sensitive information. Duqu worked along the same lines; acting as a backdoor into a system to steal data.

Kaspersky says that most of the recorded incident of the Duqu Trojan were located in Iran and targeted a number of industrial control systems used in a number of industries.

The company has called on the programming industry to help them identify the framework, toolkit or the programming language.

Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

756 people like this.
0 people follow this.

Malware Intelligence

Buy the latest industry research online today!
See more
Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.