Duqu Language Vexes Researchers

Friday, March 9, 2012 @ 03:03 PM gHale

Duqu, the malicious code that followed in the wake of the infamous Stuxnet code, has gone “under the microscope” nearly as much as its predecessor. But one part of the code remains a mystery, and researchers are asking programmers for help in solving it.

The mystery concerns an essential component of the malware that communicates with command-and-control servers and has the ability to download additional payload modules and execute them on infected machines.

Stuxnet, Duqu Link Grows Stronger
Stuxnet to Duqu: The Waiting Begins
Attackers Clean Out Duqu Servers
Duqu and Rumors of War

Researchers at Russia-based antivirus firm Kaspersky Lab have been unable to determine the communication module’s language.

While other parts of Duqu are in the C++ programming language and compile with Microsoft’s Visual C++ 2008, this part is not, said Alexander Gostev, chief security expert at Kaspersky Lab. Gostev and his team have also determined that it’s not Objective C, Java, Python, Ada, Lua or many other languages they know.

While it’s possible Duqu’s writers created the language for their project and it has never seen use elsewhere, it’s also possible it’s a language commonly used, but only by a specific industry or class of programmers.

Kaspersky is hoping that someone in the programming community will recognize it and come forward to identify it. Identification of the language could help analysts build a profile of Duqu’s authors, particularly if they can tie the language to a group of people known to use this specialized programming language or even to people who were behind its development.

Hungarian researchers at the Laboratory of Cryptography and System Security at Budapest University of Technology and Economics discovered Duqu last year.

The researchers examined the code on behalf of an unidentified company infected with the malware. The Hungarian researchers discovered the code was remarkably similar to Stuxnet and concluded the same team wrote it. Although Stuxnet’s mission was to sabotage centrifuges used in Iran’s uranium enrichment program, Duqu’s purpose was espionage. Researchers believe it was to gather intelligence about targeted systems and networks in order for its authors to then design other malware, such as Stuxnet, to sabotage those systems.

Kaspersky researchers analyzed the code and its command-and-control structure on and off for months. In that time, they’ve been unable to determine very much about the language in which Duqu’s communication module is in, except to say it is object-oriented and highly specialized.

Leave a Reply

You must be logged in to post a comment.