Kaspersky solves Duqu puzzle
With help of programmers across the globe, company has identified an unknown block of Duqu code
Kaspersky Lab has announced that, with the help of the global programming community, it has identified the unknown code block inside a section of the Duqu Trojan's Payload DLL.
The unknown code section, titled the "Duqu Framework" was a portion of the Payload DLL that was responsible for interacting with its Command & Control (C&C) servers after the Trojan infected a victim's machine.
Kaspersky Lab experts have stated with a high degree of certainty that the Duqu Framework consists of "C" source code compiled with Microsoft Visual Studio 2008 and special options for optimizing code size and inline expansion. The code was also written with a customised extension for combining object-oriented programming with C, generally referred to as "OO C".
According to Kaspersky Lab, this kind of in-house programming is highly sophisticated and more commonly found in complex ‘civil' software projects, rather than contemporary malware. Experts said that while there is no easy explanation why OO C was used instead of C++ for the Duqu Framework, there are two reasonable causes that support its use:
More control over the code: When C++ was published, many old school programmers preferred to stay away from it because of distrust in memory allocation and other obscure language features which cause indirect execution of code. OO C would provide a more reliable framework with less opportunity for unexpected behavior.
Extreme portability: About 10-12 years ago C++ was not entirely standardised and it was possible to have C++ code that was not interoperable with every compiler. Using C provides programmers with extreme portability since it's capable of targeting every existing platform at any time without facing the limitations associated with C++.
"These two reasons indicate that the code was written by a team of experienced ‘old-school' developers who wanted to create a customised framework to support a highly flexible and adaptable attack platform. The code could have been reused from previous cyber-operations and customised to integrate into the Duqu Trojan," said Igor Soumenkov, malware expert. "However, one thing is certain: these techniques are normally seen by elite software developers and almost never in today's general malware."