Home / / Kaspersky solves Duqu puzzle

Kaspersky solves Duqu puzzle

With help of programmers across the globe, company has identified an unknown block of Duqu code

Kaspersky solves Duqu puzzle
Kaspersky has identified an unknown block of Duqu code with the help of programmers from across the globe.

Kaspersky Lab has announced that, with the help of the global programming community, it has identified the unknown code block inside a section of the Duqu Trojan's Payload DLL.

The unknown code section, titled the "Duqu Framework" was a portion of the Payload DLL that was responsible for interacting with its Command & Control (C&C) servers after the Trojan infected a victim's machine.

Kaspersky Lab experts have stated with a high degree of certainty that the Duqu Framework consists of "C" source code compiled with Microsoft Visual Studio 2008 and special options for optimizing code size and inline expansion. The code was also written with a customised extension for combining object-oriented programming with C, generally referred to as "OO C".

According to Kaspersky Lab, this kind of in-house programming is highly sophisticated and more commonly found in complex ‘civil' software projects, rather than contemporary malware.  Experts said that while there is no easy explanation why OO C was used instead of C++ for the Duqu Framework, there are two reasonable causes that support its use:

More control over the code: When C++ was published, many old school programmers preferred to stay away from it because of distrust in memory allocation and other obscure language features which cause indirect execution of code.  OO C would provide a more reliable framework with less opportunity for unexpected behavior.

Extreme portability: About 10-12 years ago C++ was not entirely standardised and it was possible to have C++ code that was not interoperable with every compiler. Using C provides programmers with extreme portability since it's capable of targeting every existing platform at any time without facing the limitations associated with C++. 

"These two reasons indicate that the code was written by a team of experienced ‘old-school' developers who wanted to create a customised framework to support a highly flexible and adaptable attack platform. The code could have been reused from previous cyber-operations and customised to integrate into the Duqu Trojan," said Igor Soumenkov, malware expert. "However, one thing is certain: these techniques are normally seen by elite software developers and almost never in today's general malware."

 

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.