The mystery of the Stuxnet-like ‘Duqu’ Trojan has deepened with the news that elements of its payload appear to have to have been written in an unidentifiable programming language.
An ongoing analysis effort by Kaspersky Lab researchers has now uncovered much of the inner programming structure of the software, overwhelmingly written quite conventionally in C++.
However, delving inside the Payload.dll, the team discovered a section of the code dedicated to stealthy communication with the Trojan’s command and control servers that defied their analysis.
Dubbing it the ‘Duqu Framework’, the team has not been able to go much further than identifying it as an object-oriented language of considerable sophistication.
“The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages we have checked,” said Kaspersky Lab engineer, Igor Soumenkov.
Payload.dll looks to be a critical element of the program. According to Kaspersky, it is used to receive instructions from remote servers but also to relay stolen data, and can operate completely independently of the rest of the program. It was also important for spreading the Trojan to other Windows machines.
“Given the size of the Duqu project, it’s possible that an entirely different team was responsible for creating the Duqu Framework as opposed to the team that created the drivers and wrote the system infection exploits,” said Kaspersky’s chief security expert, Alexander Gostev.
“With the extremely high level of customisation and exclusivity that the programming language was created with, it is also possible that it was made not only to prevent external parties from understanding the cyber-espionage operation and the interactions with the C&Cs, but also to keep it separate from other internal Duqu teams who were responsible for writing the additional parts of the malicious program.”
Discovered by Budapest University security researchers last September, Duqu’s provenance, intention and design matters because it has been plausibly connected to the infamous Stuxnet malware that many believe was created to disrupt vulnerable SCADA systems connected to Iran’s nuclear enrichment program.
The connections between the two programs are contentious but eery, based on the two programs’ use of common elements. What is clear is that Duqu is sophisticated enough to be the work of a well-resourced and skilled team trying to cover its tracks.
In that they have failed as they were always doomed to do. The more sophisticated a piece of software, the more unusual its programming design and structure is likely to be and the more this very expert-level complexity draws attention to itself, raising suspicions.
Despite turning itself into the expert hub on the Trojan, Kaspersky has now appealed to programmers for help in identifying the programming language used to create the Duqu Framework.