It’s been a strange road to understanding the Trojan-worm hybrid malware Duqu that started spreading numerous spybots and rootkits across the Internet last year. It was even caught exploiting an unknown bug in Microsoft Word in order to get a beachhead on the computer to download spyware. This month, security researchers at Kaspersky Labs broke the code for the virus, decompiled it, and took a look at its inner workings; afterwards they also discovered that part of it (the payload) was written in a language that they couldn’t quite make out.
As a result, a plea along with the anomalous code was sent out to the Internet security community. It appeared on a multitude of major Internet malware research sites, Reddit, and was copied to many security firms for help.
The feedback was impressive, and today the mystery has been finally solved:
We also received two very interesting e-mail messages. Pascal Bertrand aka bps and another author who preferred to remain anonymous suggested that the code was generated from a custom object-oriented C dialect, generally called “OO C”.
The comments were very important because they allowed us to track the exact compiler used in the project: the Microsoft Visual Studio compiler. I spent more time experimenting with different versions of MSVC compilers and different source codes and compiling options trying to reproduce the binary code of the constructor function mentioned in the previous blogpost and finally succeeded.
- The Duqu Framework consists of “C” code compiled with MSVC 2008 using the special options “/O1” and “/Ob1”
- The code was most likely written with a custom extension to C, generally called “OO C”
- The event-driven architecture was developed as a part of the Duqu Framework or its OO C extension
- The C&C code could have been reused from an already existing software project and integrated into the Duqu Trojan
From what they discovered, experts at Kaspersky Labs decided that this reflected the psychology of a team of veteran “old-school” coders who found themselves comfortable with an older version of a Microsoft C++ compiler. That they’d used professional software development techniques rarely seen in today’s malware; and that Duqu, like Stuxnet, happens to be an anomaly in the malware scene.
Both Duqu and Stuxnet (another modern, politically oriented Trojan) appear to be extremely professional, highly motivated and targeted pieces of code with a lot of ingenuity written into them.
If anything can be considered from this particular payload in Stuxnet, it’s that whomever commissioned this work (or developed it themselves) they had experience, attention, training, and modern computer software engineering knowledge on their side.