Duqu Mystery Programming Language Solved

It’s been a strange road to understanding the Trojan-worm hybrid malware Duqu that started spreading numerous spybots and rootkits across the Internet last year. It was even caught exploiting an unknown bug in Microsoft Word in order to get a beachhead on the computer to download spyware. This month, security researchers at Kaspersky Labs broke the code for the virus, decompiled it, and took a look at its inner workings; afterwards they also discovered that part of it (the payload) was written in a language that they couldn’t quite make out.

As a result, a plea along with the anomalous code was sent out to the Internet security community. It appeared on a multitude of major Internet malware research sites, Reddit, and was copied to many security firms for help.

The feedback was impressive, and today the mystery has been finally solved:

We also received two very interesting e-mail messages. Pascal Bertrand aka bps and another author who preferred to remain anonymous suggested that the code was generated from a custom object-oriented C dialect, generally called “OO C”.

The comments were very important because they allowed us to track the exact compiler used in the project: the Microsoft Visual Studio compiler. I spent more time experimenting with different versions of MSVC compilers and different source codes and compiling options trying to reproduce the binary code of the constructor function mentioned in the previous blogpost and finally succeeded.

[…]

Conclusions

  • The Duqu Framework consists of “C” code compiled with MSVC 2008 using the special options “/O1” and “/Ob1”
  • The code was most likely written with a custom extension to C, generally called “OO C”
  • The event-driven architecture was developed as a part of the Duqu Framework or its OO C extension
  • The C&C code could have been reused from an already existing software project and integrated into the Duqu Trojan

From what they discovered, experts at Kaspersky Labs decided that this reflected the psychology of a team of veteran “old-school” coders who found themselves comfortable with an older version of a Microsoft C++ compiler. That they’d used professional software development techniques rarely seen in today’s malware; and that Duqu, like Stuxnet, happens to be an anomaly in the malware scene.

Both Duqu and Stuxnet (another modern, politically oriented Trojan) appear to be extremely professional, highly motivated and targeted pieces of code with a lot of ingenuity written into them.

If anything can be considered from this particular payload in Stuxnet, it’s that whomever commissioned this work (or developed it themselves) they had experience, attention, training, and modern computer software engineering knowledge on their side.

About Kyt Dotson

Technology and civilization walk hand in hand and civilization is nothing without the skin of society, brushing up against itself, speaking strange nothings across dimly lit avenues and computer screens. If we're going to understand ourselves in this digital era, it will be through watching the adoption of technology by people to express themselves as people. I am an anthropologist and an author of science fiction and fantasy--and with my technology, I hope to open up new and exciting worlds that will not just enlighten the humanity of my friends and fans but also educate and enhance the expression of their own personhood. Find more of my work on Google+; send tips to @kytsune.