Researchers working for Kaspersky Lab have discovered that the Duqu Trojan, believed to have been written by the people behid the Stuxnet worm, was partly written using a previously unknown programming language.
The Russian security company says this new information could help them discover how the worm was able to communicate with its Command and Control (C&C) servers. The C&C servers essentially tell the worm what to do once it has accessed a system.
Researchers analysed the Payload DLL and found one section was written in an unknown language - it is this section that communicates exclusively with the C&C server, Kaspersky said. They have labelled this section the Duqu Framework.
The Duqu Framework is not written in C++ and it's not compiled with Microsoft's Visual C++ 2008, "but is definitely object-oriented," Igor Soumenkov wrote on the company's blog. "The Duqu Framework appears to have been written in an unknown programming language."
"After having performed countless hours of analysis, we are 100% confident that the Duqu Framework was not programmed with Visual C++. It is possible that its authors used an in-house framework to generate intermediary C code, or they used another completely different programming language," Soumenkov added.
Writing on Twitter, CEO Eugene Kaspersky said that it "seems the state behind Duqu sponsored the development of a new [programming] language."
Alexander Gostev, chief security expert at Kaspersky Lab, expanded on this: "Given the size of the Duqu project, it's possible that an entirely different team was responsible for creating the Duqu Framework as opposed to the team that created the drivers and wrote the system infection exploits."
"With the extremely high level of customisation and exclusivity that the programming language was created with, it is also possible that it was made not only to prevent external parties from understanding the cyber-espionage operation and the interactions with the C&Cs, but also to keep it separate from other internal Duqu teams who were responsible for writing the additional parts of the malicious program," he added.
The sophistication of the worm, and the fact that an entirely new programming language was created for it, points to significant financial and labour resources being behind it. Security experts have suggested that a state must have been involved in its development.
Duqu first emerged in September 2011 and is thought to have been written by the same people behind the infamous Stuxnet worm, which targeted Iran's nuclear facilities and attempted to steal highly sensitive information. Duqu worked along the same lines; acting as a backdoor into a system to steal data.
Kaspersky says that most of the recorded incident of the Duqu Trojan were located in Iran and targeted a number of industrial control systems used in a number of industries.
The company has called on the programming industry to help them identify the framework, toolkit or the programming language.
Qualys is the leading provider of on demand IT security risk and compliance solutions - delivered as a service. Qualys solutions enable...