Malware

Mystery programming language in Duqu

Read time 2min 30sec

Kaspersky Lab experts have discovered an unknown programming language in the Duqu Trojan, and are appealing to the programming community for support in analysing it.

The Duqu Trojan was created by the same people who designed the notorious Stuxnet worm. It was designed to act as a backdoor into a system to steal private information.

Although it was first detected in September 2011, Kaspersky says the first traces of Duqu-related malware go as far back as August 2007.

The security giant says it has recorded more than a dozen incidents involving this Trojan, with mostly people from Iran being affected.

“An analysis of the victim organisations' activities and the nature of the information targeted by the Duqu authors clearly suggest the main goal of the attacks was to steal information about industrial control systems used in a number of industries, as well as gathering intelligence about the commercial relations of a whole range of Iranian organisations,” says Kaspersky.

How Duqu was communicating with its Command and Control (C&C) servers once it infected a victim's machine has baffled the security community.

The company says a lot of the code is identified as standard C++, but its experts are ignorant as to the origin of other segments.

The code in question is part of the Payload DLL, in other words, the part of the Trojan that sends and receives instructions from an outside source once it has infiltrated a system. Kaspersky has confirmed the code is object-oriented, but otherwise unlike anything it has seen previously.

“Given the size of the Duqu project, it's possible that an entirely different team was responsible for creating the Duqu Framework as opposed to the team that created the drivers and wrote the system infection exploits,” said Aleks Gostev, chief security expert at Kaspersky Lab.

Gostev explains that the extremely high level of customisation and exclusivity that the programming language was created with makes it possible that it was made not only to prevent outside parties from gaining insight into the whole operation, and interactions with the C&Cs, but possibly to keep it separate from other internal Duqu teams responsible for writing the additional parts of the malicious program.

He says the creation of a dedicated programming language demonstrates the high skill levels of the people working on the project, and also illustrates the significant financial and labour resources that have been poured into it.

Kaspersky asks that anyone who recognises the framework, toolkit or the programming language that can generate similar code constructions please contact its experts.

Have your say
Facebook icon
Youtube play icon