An appeal for help
from the programming community has allowed antivirus analysts to
classify the unknown language used to develop key components of the Duqu
Trojan. The sections responsible for downloading and executing
additional modules in the Duqu Trojan, referred to by some as Stuxnet
2.0, were written in standard C++.
Kaspersky Lab experts now say with a
high degree of certainty that the Duqu framework was written using a
custom object-oriented extension to C, generally called “OO C” and
compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) with
special options for optimizing code size and inline expansion.
Kaspersky’s Igor Soumenkov wrote, “No
matter which of these two variants is true, the implications are
impressive. The Payload DLL contains 95 Kbytes of event-driven code
written with OO C, a language that has no automatic memory management or
safe pointers,”.
Kaspersky’s analysis now concludes:
- The Duqu Framework consists of “C” code compiled with MSVC 2008 using the special options “/O1″ and “/Ob1″
- The code was most likely written with a custom extension to C, generally called “OO C”
- The event-driven architecture was developed as a part of the Duqu Framework or its OO C extension
- The C&C code could have been reused from an already existing software project and integrated into the Duqu Trojan
The Duqu Framework may have been
created by a different programming team, since it is unique to Duqu,
unlike many parts of Duqu that seem to be directly borrowed from
Stuxnet. It’s believed that the developers are old school that don’t
trust C++ and that’s probably why they relied on C. Another reason for
using OO C is because back in the good old days it was more portable
than C++.
Knowing the techniques used to
develop the malware allows Kaspersky's researchers to make better
guesses about who might be behind the code. Creating Duqu was a major
project, so it’s possible that an entirely different team was
responsible for creating the Duqu Framework, while others worked on
creating drivers and system infection exploits. In this scenario it's
even possible that those who created the Duqu framework were ignorant of
the real purpose of their work.
Duqu was first detected in
September 2011, but Kaspersky Lab believes it has seen the first pieces
of Duqu-related malware dating back to August 2007. The Russian security
firm also notes Duqu, like Stuxnet before it, is highly targeted and
related to Iran’s nuclear program.
0 comments:
Post a Comment