Duqu’s Mystery Language Decoded

Kaspersky has identified the bespoke language the Duqu Trojan was using to interact with its command and control (C&C) servers.

The company was initially stumped by the complex code, calling for assistance in determining what language was used. Thanks to input from various sources, the Russian firm was able to deduce that Duqu’s creators chose to combine object-oriented programming with C, otherwise known as ‘OO C’.

Old school skills

Kaspersky said this would have given the creators greater control over the code, explaining OO C “provides a more reliable framework with less opportunity for unexpected behaviour”.

OO C should also work with every existing platform at any time, something that the C++ language often used to build malicious programs cannot guarantee, Kaspersky said.

Researchers said they had a “high degree of certainty” the so-called “Duqu Framework” consisted of “good old” C source code compiled with Microsoft Visual Studio 2008.

From the findings, Kaspersky asserted Duqu’s creators, who are also thought to have created the super-malware Stuxnet, would have been “old-school” developers who wanted a highly flexible framework to deliver payloads across various platforms.

Only “elite” programmers would work with this kind of language, the security firm said.

The Mac daddy

Kaspersky researcher Vitaly Kamluk, speaking during a web conference today, noted that OO C is often used in development approaches for Mac OS, which was quite an “interesting coincidence”. For Mac developers, the language is more commonly known as Objective-C.

“The bad guys that create classical malware use simple tools to make creating things easier and faster. In Duqu it was different,” Kamluk added. “This [Duqu Framework] is quite expensive in terms of resources and time.”

It remains unclear how the findings will help uncover who created Duqu, but Kamluk was upbeat about the research’s impact.

“This can shed some light on who might be behind it and there will be some options to choose from to determine exactly who it was. Right now the research is still in progress,” he added. “We are not close to answering the question which country might be behind this.”

Kamluk could not tell TechWeekEurope about any similarly sophisticated malware, saying sometimes researchers got lucky and came across high-quality malicious programs. Nothing in Duqu or Stuxnet’s class has appeared this year.

How much do you know about IT security? Test your skills with our quiz.