The Duqu Trojan which some believe is a relative of the Stuxnet worm used to attack Iran was partly programmed in Object-Oriented C (OOC) by a traditional “old school” enterprise programming team, Kaspersky Lab researchers have concluded.
Kaspersky has spent months analysing Duqu in the hope of unravelling its mystery, only two weeks ago hitting a blank with a section of payload code that appeared to have been written in an unknown programming language.
After an appeal to the developer community for help, the answer they have come up with throws up yet more questions about Duqu’s baffling provenance.
According to Kaspersky, the mystery code section was written in a custom object-oriented C framework, a format never before encountered in the company’s analyses of cybercriminal malware. The compiler used was Microsoft Visual C 2008, optimised to produce a small footprint.
If this sounds slightly arcane, the inferences that can be drawn from it could be hugely significant in understanding the origins and purpose of the most perplexing family of malware ever discovered.
Duqu was most likely the work of a large team that included traditional professional programmers of the sort who might see a use for the efficiency, portability and standardisation of a language as specialised as OOC. The language was also popular among old-style Mac OS developers.
It is also possible that some of the developers wrote the code without a full appreciation of the whole programme they were building, which is to say they might not have known its ultimate purpose.
“It seems like this is civil code from normal software developers, not cybercriminals. It looks like the normal style for coding enterprise applications,” said Kaspersky’s chief malware expert Vitaliy Kamlyuk, a comment backed up by his colleague, Igor Soumenkov
“These techniques are normally seen by elite software developers and almost never in today’s general malware,” said Soumenkov.
The company has also released a binary image of Duqu and Stuxnet (see above segment) to underline what they believe are the strikingly similar designs of the two programmes. The company has previously said that the two were created using the same software platform.
“The guys behind Duqu and Stuxnet tried to hide and they did it by not using any language inside the files. They tried to stay language-independent,” said Kamlyuk, referring to the lack any traces of English or other natural languages in the code.
Kaspersky remains unwilling to be explicit on their suspicions as to who might have written Duqu and for what purpose but they said it could have been aimed at infecting a small group of individuals rather than as a general malware infection.
Discovered in September 2011, several theories have circulated on Duqu’s origins, most of which now accept it has a sinister connection to Stuxnet. The latter became infamous in 2010 for the disruption is caused to the Siemens SCADA industrial systems connected to Iran’s nuclear enrichment program.
Many assume it was the work of the US, Israel or the UK - Iran's enemies - although the evidence of this is circumstantial at best.