Duqu Report: Code is Old School

Wednesday, March 21, 2012 @ 02:03 PM gHale

Duqu masterminds relied on professional programmers in their code development.

Kaspersky Lab researchers said they were able to unravel the origins of a well-masked programming language used to write the communications module in Duqu, the information-stealing malware connected to Stuxnet. Their analysis also concurs with an earlier ISSSource report that said the same group is behind both malware attacks.

RELATED STORIES
Duqu Language Vexes Researchers
Stuxnet, Duqu Link Grows Stronger
Stuxnet to Duqu: The Waiting Begins
Duqu and Rumors of War
A New and Frightening Stuxnet

Turns out the attackers used object-oriented C language compiled with Microsoft Visual Studio 2008 — which indicates it wasn’t your typical malware writer behind it, but more of an “old school” programmer, the Kaspersky researchers said. “This is not common for malware writers, that’s for sure,” said Vitaly Kamluk, chief malware analyst. “This looks like a normal style for coding enterprise-wide applications.”

Kamluk said the language used is very commonly a tool for professional software developers, which suggests the Duqu writers were not a typical cyber criminal outfit. Kaspersky earlier this month asked the security community for assistance in identifying the programming language, which didn’t appear to look like one they had ever seen before.

Most researchers agree Duqu and Stuxnet came from the same code base; others debate whether the two attacks are related. ISSSource reported last year Israel and the U.S. partnered in an attempt to halt Iran’s nuclear enrichment program.

Other researchers, including Dell SecureWorks, disputed any connection between the Duqu and Stuxnet attacks. Just because they came from the same toolkit, SecureWorks’ Don Jackson argued, doesn’t mean they are part of the same attack.

One theory posed by Kaspersky and other research firms is Duqu was the reconnaissance piece of the Stuxnet attack on the Siemens equipment. But SecureWorks says that is not the case.

Meanwhile, when Kaspersky researchers were unable to decipher the programming language with Duqu, they asked for outside help. “We thought it was one of two options, either C or a new programming language. That’s why we asked the community” for help, Kamluk said.

The creators of Duqu and Stuxnet have been careful not to leave behind clues that might give away their native spoken language or country of origin, he said.