Researchers Seek Help In Solving DuQu Mystery Language

An anonymous reader writes "DuQu, the malicious code that followed in the wake of the infamous Stuxnet code, has been analyzed nearly as much as its predecessor. But one part of the code remains a mystery, and researchers are asking programmers for help in solving it. The mystery concerns an essential component of the malware that communicates with command-and-control servers and has the ability to download additional payload modules and execute them on infected machines."

It says...

NSA Property, Keep Out.

Re:It says...

[Beardo+the+Bearded]

It looks to me to be the output from the PLC compiler. Clear, count, and compare are basic ladder logic commands.

If you figure out which PLCs the Iranians are using that'll give you the compiler; each brand has its own and you're really unlikely to see it if you haven't used it. How many people here have used DirectSoft? Have you seen Schneider's programming interface?

That would explain why the researchers haven't seen it. You rarely use PLCs outside of industry.

Re:It says...

[chinton]

No, it says "Seatec Astronomy".

Re:It says...

[uhuru_meditation]

SIEMENS PLC..

Re:It says...

[bl968]

It's actually \|/

Re:It says...

> "Seatec Astronomy"
"too many secret A's" ?

I think you meant "Setec Astronomy"

Re:It says...

What about the fact that it's x86 code?

Re:It says...

PLC compilers produce x86 code?

Re:It says...

[daem0n1x]

Actually, it doesn't come from the NSA. The name resembles "Do cu", which is "from the ass" in Portuguese. There, now you know where it comes from.

Mystery Code

[Oswald+McWeany]

The mystery code isn't really much of a mystery- it's just how Duqu communicates with the sith lord.

Re:Mystery Code

The mystery code isn't really much of a mystery- it's just how Duqu communicates with the sith lord.

The apprentice or the master? Just wondering if we have to go to Bush or Cheney for more details. I'm hoping for the latter, or it will be more like a conversation with Yoda.

Re:Mystery Code

In your example WHO is the apprentice and WHO is the master. Is Bush the apprentice or is Cheney the apprentice?

Cheney was only Vice President- but he seemed to be the one calling the shots.

Re:Mystery Code

[mcgrew]

Besides, I thought Obi Wan killed DuQu?

Re:Mystery Code

No no. You got it wrong. Anakin killed DuQu, not Obi Wan.

Re:Mystery Code

[ericloewe]

You must be quoting that mythical Star Wars prequel trilogy that somehow spread around like wildfire. Good thing it's just a myth.

Re:Mystery Code

[dougisfunny]

Anakin actually killed both DuQu and Obi Wan.

Re:Mystery Code

[steelfood]

Sounds insidious.

Re:Mystery Code

[schroedingers_hat]

Wait, the World Health Organization is a sith lord too?

Re:Mystery Code

Unfortunately, that was a long time ago, in a galaxy far, far away.

So, we meet at last....

So, we meet at last Count DuQu.
I think we should just cut to the chase and ask George Lucas totell us whether DuQu or Stuxnet shot first.

Re:So, we meet at last....

[Spy+Handler]

My powers have doubled since the last time we met, DuQu!

Looks like assembly to me

I kid, I kid...

Re:Looks like assembly to me

[PPH]

I kid, I kid...

Why? Its entirely possible that this snippet of code is a piece of in-line assembly. It may have started out coming from some higher level language, but been tweaked or completely rewritten in assembly and its origin is no longer recognizable.

Re:Looks like assembly to me

[forkfail]

Or even self modifying assembly....

That would be a real pisser to figure out.

Re:Looks like assembly to me

Why it's all the same code, in fact pure assembly is way cleaner and simpler to disassemble than code from a high level arena!

 

Re:Looks like assembly to me

[v1]

I don't understand why they are avoiding this option like the plague. C'mon... practically every compiler compiles its language into assembly and runs that through an assembler for final object code creation. (tho some will then run THAT through an optimizer etc) There's absolutely no reason for them to insist it can't be written in native assembler. I wrote many things for the 6502 that way - if you want it fast and small, that's the way to go.

And sorry, if they have to reverse it back into C++ or some other higher level language to figure out what it does, they're idiots, no better than script kiddies. I don't care of they have ten CS masters degrees. Assembly just takes a little more time to work out, it's not like it's encrypted and they don't have the key.

None of this should come as a surprise to anyone. The authors are black-hats. They make their living on buffer overflows and bug exploitation, they damn well know how to code in assembly, and specifically how to tear it apart and analyze it in fine detail. Why can't these "experts" do that?

Re:Looks like assembly to me

[Brett+Buck]

I think most are missing the point. They probably already know what it does (if they don't, given the effort they have expended, then they are boobs). What they want to do is find what the language was *in order to track down the authors* on the premise that it was some strange language only used in a few places and if they find it, they can narrow the range of likely candidates .

Re:Looks like assembly to me

[Whiteox]

Actually looks like the result of a macro assembler module. The MOV functions gives it away. The only reason for doing that is to make it faster or to reduce the code size, not necessarily to obfuscate. The programmer is old school.

Re:Looks like assembly to me

Mind you, if you were writing a bit of naughty code and wanted to avoid your identity being discovered at all costs, wouldn't you be tempted to use an obscure language only overtly used somewhere else?

For example, the NSA might choose something popular among Russian hackers, while the Chinese might favor a language closely associated with the American DOD.

Re:Looks like assembly to me

Any C compiler will generate MOV instructions for reading and write variables. If you were really lucky, memcpy() would become REP STOSB/STOSW,STOSL.
Normal stack behavior is use to stack pointer register (ESP) to hold stack frames, and the 32-bit return result in EAX. Other registers like EBX, ECX, EDX for index values.

easy

[P-niiice]

hmmm yes, your average script kiddie can totally create a custom language and totally stump the entire computing universe. my daughter did it last week while looking for proxies to get around my facebook ban. no government needed!

Re:easy

...except that this wasn't written by your average "script kiddie".

Re:easy

Yeah, it was obvs written by the daughter of P-niice. Nice detective work there, AC.

Re:easy

If you think DuQu was written by "your average script kiddie", or that DuQu was written any "script kiddie", then I have a great deal on some kosher seafront land in Florida that has your name all over it!

Re:easy

[Havokmon]

You mean you're not already running a squid/dansguardian box with NTLM auth locally and blocking all other Internet access? :)

Probably written in INTERCAL

[el+borak]

Learned INTERCAL from Guy Steele in the Comparative Languages course at CMU.

Assembly?

Have they thought about the possibility that this was custom assembly programming and not some high level language at all?

Re:Assembly?

[Qzukk]

Who would be insane enough to write OO code in assembly?

Re:Assembly?

[Surt]

My dad did. Maybe he's behind this. But he was a first generation programmer. Trying to get him to move on from assembly was a pointless endeavor.

Re:Assembly?

[Ohrion]

I'm sure he did write assembly. But Object Oriented assembly? Come on now...

Re:Assembly?

[SmurfButcher+Bob]

> from assembly was a pointerless endeavor.

ftfy.

Re:Assembly?

[hawkbat05]

By the sounds of the article they haven't ruled that out. They're just checking to see if it could be a higher level language that would help identify the writer(s).

Re:Assembly?

[Surt]

No seriously. When OO became a fad he figured out how to build up macros to support an OO model.

Re:Assembly?

[Minwee]

Right. That limits the suspects to... um... just about anyone who took a second-year computer science course above the level of "See Spot Run".

Re:Assembly?

[Mr+Z]

It's out there. I remember reading about a engine control algorithm running on a 68HC16 microcontroller in Circuit Cellar Ink back in the mid-90s, and it was written in object oriented assembler. It caught me so off-guard that I still remember it almost 20 years later.

Re:Assembly?

[tibit]

That's beside the point. Who the fuck cares what is the imaginary high level language this stuff was written in? They are analyzing the somewhat annotated disassembly anyway. To me it looks like it may be the output from some PLC environment. Perhaps it's CoDeSys output. It doesn't matter anyway, there are no tools that will take this and restore the source. It's not like you need something uber-fancy anyway to help with what's the key here: figuring out what the code does.

Re:Assembly?

[19thNervousBreakdown]

Why's that so hard to believe? I've been programming almost exclusively in object-oriented languages for 15 years now, give or take. Chances are no matter what language I write in, whatever I write is going to include many object-oriented features. If I was working with a complex assembly project, a type system would be one of the first things I came up with. From there, it's not much of a stretch to imagine you'd want to associate data with instances of that type, and functions that can operate on them. Bam! Object-oriented assembly. Private members and inheritance are just small steps from there.

Re:Assembly?

[Nadaka]

I did when I was college.

Re:Assembly?

[rev0lt]

I *wish* my day-to-day job was OO asm development. I've done a fair amount of x86 OO programming, and it is quite easy (if you're fluent in asm).

Re:Assembly?

[rev0lt]

Or just consider that the Borland Turbo Assembler did have "native" OO support, and that there are a ton of MASM OO macros than can be somewhat easily adapted to any modern assembler.

Re:Assembly?

You don't have to use an object oriented language to do object oriented programming, it just makes it easier to do so. On the Fidonet 80XXX echo back in the early '90s there was a tutorial series on writing generic object oriented x86 assembly. On the other hand, Borland's TASM assembler also supported OOP natively.

Re:Assembly?

[JonySuede]

I use to do that for fun 15yr ago, it is not that hard. There are still some old tutorials on this floating on the net:
http://webcache.googleusercontent.com/search?q=cache:TIHCSoP4378J:yanaware.com/com4me/createcom.php-author%3DErnie%2520MURPHY%26mail%3Dernie%40surfree.com%26url%3Dhttp---here.is-ComInAsm%26idTute%3D39.htm+masm+COM+component&cd=2&hl=en&ct=clnk&gl=us&client=firefox-a

Re:Assembly?

[hawkbat05]

The researchers care what high level language was used. It could help identify who wrote it since it's likely that the language has a small user base.

Re:Assembly?

[tibit]

Good point, although compared to mainstream tools like MSVC, almost everything has a "small" user base.

Re:Assembly?

[IwantToKeepAnon]

I have also. TASM (Borland's Turbo Assembler) had support for it. The assembler would manage a vtable for you among other things. I've also programmed OO in Korn shell. Why OO in assembler or ksh? Because it was the right tool for the job and OO principals can be used anywhere they make sense and help the effort. It's not as far out there as you make it seem.

Re:Assembly?

[lightknight]

Because it annoys the PhDs, that's why they care.

Think about it. We use high-level languages because it expresses an idea in fewer words. If I call a TextBox control in C#, that's simpler than the equivalent in Assembly. These people, of course, are annoyed, because without knowing what the higher language was (assuming there was one used), it will take their minds years to analyze what exactly the code is dong; whereas if they knew what the higher language was, they could create a decompiler, and have something approaching the original source code in a few weeks / months.

     

Re:Assembly?

It's not that hard. It fact, it makes work in assembly easier.

Re:Assembly?

[PPH]

Not the whole app. According to TFA, it was written in C++. They even know which implementation. But this particular function (subroutine, method, whatever) appears not to be written in that.

Its something different. Or someone banged out some ASM by hand. If they can figure out what language this routine was written in, they can narrow down the list of possible authors*.

* Come on now. You didn't think the NSA wasn't scraping all the developers' resumes from LinkedIn to build a skill set database to figure out who wrote what, did you?

Re:Assembly?

[tibit]

Creating a "decompiler" isn't exactly trivial. The types of analyses you have to do on machine code compiled with today's optimizing compilers are fairly generic, they will give you some higher-level representation of the code no matter what was the underlying language. Those tools recognize certain patterns to provide even higher level information, but at a basic level they pretty much repeat what a compiler would do: there's data flow and control flow analysis, and a whole lot of inference based on those. I'm sure there's a whole lot of techniques and tricks published...

Re:Assembly?

[lightknight]

Two points:

1.) No one said it was trivial, but for a capable researcher who has spent a fair portion of their life dealing with decompilers (and writing a few of their own), they probably have an idea how to do it fairly quickly.

2.) While it's possible to walk-through reams of Assembly code, it's painful. Extremely painful. A 100-line 'function' in Assembly code will cause most programmers to pause, and a 100,000 lines of Assembly code ('functions' and all) will break even the most vigilant of programmers. The human mind just does not like holding 100,000 variables actively in working memory (whether it can actually do that is open to some debate). 100,000 lines in Assembly is 2,000 lines in a higher-level languages, segmented properly so the human brain doesn't crash.

Re:Assembly?

I'm sure he did write assembly. But Object Oriented assembly? Come on now...

OO is an approach to programming, and while most people rely on higher level language constructs to take care of the OO mechanisms for you, it's not at all required. I was using OO concepts before OO became a buzzword, and when I first learned about OO I scratched my head and thought "Well, yea no shit, you mean people weren't doing things like this already?"

It's not hard to do, assuming you actually understand programming and the compiler is just a tool for saving you some work. I realize this is a foreign concept to kids who learned to code in higher level languages, and regard anything in the compiler as 'black magic', but for those of us who actually learned to understand the architecture, etc. from the ground up it's nothing special.

Re:Assembly?

[dr2chase]

Just for reference, I have a PhD, I work on compilers and runtime systems. People like me program in assembly, we program in HLLs, whatever works. We will (for actual example) pore over 88 pages of assembly-language output from a compiler in order to find the register allocation bug. Other people I've worked with on compilers (some with PhDs, some not) do things like diagnosing a C optimizer bug based only on the C++ input to cfront (later run through a C compiler) and the busted output, or, after pondering the full set of symptoms, (correctly) diagnose a "compiler bug" as a lack of thermal compound between CPU and heat sink (over the phone!)

You get good at this stuff when you do it full-time, and a compiler/debugger person who had come across this language in the past would probably ID it confidently. It's probably NOT something that passed through a C compiler, because those still have calling conventions, structure layout conventions, and other funny idioms that would still be obvious to someone familiar with C compilers on that platform (which presumably the guys at Kaspersky are).

Re:Assembly?

[P-niiice]

teach me obi wan that stuff sounds cool.

Re:Assembly?

Point fails. There's a compiler operating on that code before the assembler.
I can put assembly inline in my C++ code, too. Just because you're putting it inline with whatever Borland calls that custom-language-that-obviously-isn't-assembly doesn't make it "object-oriented assembly".

Re:Assembly?

You can learn by yourself with gcc.

Lesson #1: type 'man gcc' and 'man g++'
Learn what each and every one of those compiler options does.

Lesson #2: run gcc and g++ with the -S and various optimization options to see how the assembly language changes
Simple ones are -O1, -O2 -O3

Other interesting options are -Q : list each function as it is compiled. Other compilers used to display the number of instructions and data generated by each function.

answer is simple

It's in ROT-13 Pig Latin.

I'll take my paycheck in gum, Trident Layers to be specific.

iron python

[koan]

It's iron python.

Re:iron python

Iron Python, a .Net language that compiles to IL byte code that is JIT compiled by the .Net runtime?

Since it's the runtime doing the compiling, how can you be confident it's IronPython at all, over any other .Net language?

Re:iron python

[Mr+Z]

Ok, you and someone on the article both said the same thing, with absolutely nothing to back it up. Care to elaborate? I'm particularly curious how a .NET bytecode executable ends up as baroque machine code as opposed to CLI bytecode like most .NET languages.

Uhh what?

[JustNiz]

...and here's me thinking that compiled code has already been reduced to machine code.

Re:Uhh what?

[Zocalo]

Of course it has, but that's not the point. There's potentially something unusual here, so if you can work out what language/compiler/linker was used there might be a clue to the identity of the code's author(s). It wouldn't be the first time that a piece of malware has been written in an experimental language developed for educational purposes and seldom, if ever, seen outside that educational establishment. It would only be circumstatial evidence of course, but it's still better than nothing and might help narrow the field enough to get a lead on the authors.

Re:Uhh what?

Assembler is a 1-to-1 correlation with machine code. Simple software can switch between the two.
As explained in the article (blasphemy, I know), high-level languages and the compilers they use tend to leave evidence in the machine code, which can be recognized by some of the real code-nutters when decompiled into assembler.

Re:Uhh what?

[spads]

Could be that it's a completely custom compiler which the thing downloads then wipes after use. Unless someone recognizes the language, it might be quite hard to figure out.

"This compiler will self-destruct in 10 seconds - 'squelch...'"

Re:Uhh what?

[19thNervousBreakdown]

A compiler takes your high-level language instructions, and generates the many, many low-level instructions it might take to express a given high-level instruction. The thing is, much like there's many ways to write a cover letter for a resume, there's a lot of different ways to do that high->low expression, but a compiler writer is unlikely to bother with more than one way, or maybe a couple others if there's some benefit to doing so.

A person on the other hand, will have all sorts of random variations in what they write. Oh, they'll come up with certain ruts, and have a certain style, but the won't be exactly the same every single time.

Compilers also do useless stuff. For a car analogy, it's kind of like the tow hooks under your bumper--most of the time they aren't used. A person isn't going to bother to put them there if they're not currently needed or they can envision a need for them--a compiler never forgets to put those hooks there, and sometimes puts them there even when it's redundant. Optimization gets rid of that kind of thing, but no compiler is perfect, and they're often conservative.

Re:Uhh what?

[rev0lt]

I've seen hand-written assembly listings and guessed correctly how many programmers worked on it, and which ones did what. Most compilers do leave a signature, specially if the code is compiled with optimizations - there are many ways of implementing the same base algorithms, and the key tricks show on the disassembly.

Re:Uhh what?

[lightknight]

Or just a regular code obfuscator.

Re:Uhh what?

+1 CarAnalogy

Re:Uhh what?

[Em+Adespoton]

Regular code obfuscators are pretty obvious to spot, and you can usually fingerprint which obfuscator was used, if it wasn't homemade. Whatever this code is, it's not something you see in every day asm.

huh?

Isn't all code self-documenting?

looks like a

the work of a Culture Mind. Call Mr. Banks.

Why should I care?

Somebody obviously knows. They aren't telling due to penalty of losing their job and perhaps going to Federal prison. As they say, it's highly likely it's an in-house language. The resources required to create Stuxnet are said to require a nation or at least a corporation, and a motive which points the fingers at Israel and the USA. If I solve this problem the answer is something like, whoop-de-do, "DuQu is this guy's PhD dissertation applied to malware". Wow. Like, who cares?

Re:Why should I care?

[AHuxley]

Like, who cares? This code is like Sputnik in orbit above your country - it sets the new legal framework that its ok to mess with industrial computers world wide and get to hide behind state support.

it was written in assembly language

[circletimessquare]

that's just a guess

but the level these guys are working at here, something well above script kiddie and slightly below elder neckbeard, it seems entirely plausible to me

Re:it was written in assembly language

[spads]

I think it could be even well above the advanced neck beard. These guys wanted to do all the damage possible, without giving them any technology they could figure out and use.

Re:it was written in assembly language

[VortexCortex]

Well, if it's above the advanced level of Neck-beard the Gray then it's even more advanced than something like a tiny VM that interprets encrypted bytecode and has re-allocatable variable width opcodes such that the second time you encounter an instruction it may not do the same thing. Eg: my opcodes are Arithmetic encoded and encrypted with an evolving 12bit block cipher; Additionally, each execution swaps a few "function pointers" that the op-codes invoke. The compiler for my VM makes several passes to discover the optimal compression, encryption, and initial opcode-to-action table to use. To reverse engineer such a beast requires manually stepping through machine code from the very first instruction -- That is, given a partial sample of code: no amount of visual analysis will reveal what it does. The language used to write programs for it? ASM, or a subset of C; Though it could be Java, Python or any other high level language -- That's the beauty of compilers.

Not saying this is what's been done, just that I've done and seen some VERY wicked code. I once cracked DRM that was implemented in enciphered MIPS and used such an embedded VM. It looked like the input language for the generated opcode was C.

The government employees paid to come up with such a thing would be at most on-par with the masses of crypto nerds that joygasm over such things -- Who do you think they would hire? There's not some magical government-only breed of human with super hacker powers... Ergo, they must hire from the available pool of people, and since they don't hire us all, or even necessarily the absolute brightest, the highest level of hackerdom they could employ would be on-par with "the advanced neck beard" at most.

Re:it was written in assembly language

[circletimessquare]

fine, you've made your point

but the official coder manual officially classifies neckbeards as

young neckbeard, adult neckbeard, elder neckbeard, and ancient neckbeard

with Hit Points 100, 300, 700, and 1500, respectively

the ancient variety is allowed to cast Befuddlement at will with a savings throw adjustment of -6 on your character's intelligence rating. i see you tried to cast that spell in your past post

but i have no idea what this "advanced" neckbeard is you refer too. i don't think such a neckbeard classification exists... oh shoot, did you just Befuddle me?

fine, i'll wait out the next 3 turns

*sigh*

Re:it was written in assembly language

+1 Legend

Proprietary

It's a proprietary framework used at McAfee... DMCA!

Enough of this SMALLTALK...

Enough of this SMALLTALK this DuQu language is BASIC to understand. It is PICO fast, runs sweet as MAPLE, and I hear is easy to MAKE. Be LUCID and CLEAN - you don't need to wear LaTeX, know a person named LISA, or any other LINGO. To let this FELIX GENIE out of it's DRACO bottle all you need to do it talk to a TUTOR. In the meantime CHILL out and enjoy some JAVA. Now Go, GO!

It's either:

[blueforce]

Objective-Brainfuck or Brainfuck with Classes

Any sucker

[AliasMarlowe]

Any sucker can tell it was written in Linda.

Re:Any sucker

[PPH]

Well, I couldn't tell. Because I'm the suckee, not the sucker.

Seriously, that would be kind of disturbing. A virus written using a distributed memory, multi-processor model. The more systems it infects, the more powerful it gets and the larger the problems it can handle.

Re:Any sucker

[witherstaff]

I hadn't heard of that language, thanks for the laugh. On a related note, we had an employee with a last name Lovelace. An older client, always prim and proper, left a message once to see when "Mr. Deepthroat would be stopping by to finish the job". Client would have probably died of embarassment if she realized her slip-up.

Re:Any sucker

[AliasMarlowe]

On a related note, we had an employee with a last name Lovelace. An older client, always prim and proper, left a message once to see when "Mr. Deepthroat would be stopping by to finish the job".

Got to watch out for those "prim and proper" ones. She probably exhausted Mr. Lovelace by the time he "finished the job" on each visit.

Possibly?

[Authustian]

Could it be possible that the authors came up with their own language, and/or compiler?

Re:NSA

[TaoPhoenix]

Actually, I'll reverse the joke and gun for +1 Insightful.

Ready?

Literally why does this story even exist? This code takes out nuclear reactors and "researchers ask programmers for help"? Really?! (Does "Ask" imply they want the answer FREE?!)

So the Dept of Homeland Security is busy helping yank down file share sites and they have no time for this?

Ladies and Gentlemen and AI's, this is your answer to why we're spiralling into a mess.

Re:NSA

DHS, conspiracy theories aside, is likely conducting their own investigation into DuQu, the details of which are unlikely to be shared with the general public. TFA is about Kaspersky Labs, an independently owned security firm, asking for help from the general public.

In Chinese ...

"Duqu" in Chinese Pinyin means "to read (some data)" ... LOL

erlang

[slew]

My guess is that it's probably erlang. It fits all the descriptions of how erlang works. Erlang is used in all sorts of realtime systems, it wouldn't be a stretch to see that it was used in a virus library. Someone that is in the Telecom or Network infrastructure industry might be familiar with Erlang and that type of person might also be the same type of person that knows enough about networks and network vunerabilities to architect a framework for virus distribution.

Re:erlang

Agree.

Re:erlang

[tibit]

+1 insightful. I haven't thought of Erlang!

Re:erlang

[Panaflex]

But wouldn't erlang would have separate functions for each callback? Everything else is very similar.

Another architecture this looks similar too is the X Toolkit event library...

Re:NSA

[Baloroth]

Literally why does this story even exist? This code takes out nuclear reactors and "researchers ask programmers for help"? Really?! (Does "Ask" imply they want the answer FREE?!) So the Dept of Homeland Security is busy helping yank down file share sites and they have no time for this?

Why would DHS have anything to do with this? DuQu so far hasn't done anything to American interests (in fact, so far as I can tell, it has helped them). The people in TFA looking at the code are Kaspersky: a Russian anti-virus company. They don't even recognize the language the code is written in, much less how it works, and they are wondering if anyone of the billions of people on the Internet knows (specifically, if it is a a specialized language used in some niche industry or something). If no one does, they can be pretty sure it was a custom created language, and proceed accordingly. They aren't asking for someone to do their work for them: they are saying "hey, this look like anything anyone knows?" DHS might be looking at it too, if they didn't create it: but the story has absolutely nothing whatsoever to do with them, in any way. Not even the same continent.

Also, I don't know where you got "takes out nuclear reactors." Stuxnet did damage to nuclear centrifuges. AFAICT all DuQu seems to be doing is stealing data (private keys, actually). Bad for people who get infected, yes. Not like it is causing nuclear meltdowns or something.

Perl

[0100010001010011]

That clearly looks like perl to me.

Re:Perl

[larien]

Can't be perl. It's far too readable, for a start.

Re:Perl

[youn]

IMHO compiling may actually make it more readable :p

Re:Perl

That's mainly just because assembly can't be written in one-liners.

FTFA

[g0bshiTe]

They don't know the language? Why are they concerned with the language it was written in? What if it was written in C++ or C on ARM and cross compiled for x86, would it look funky like that? Or is it possible it's compiled in TASM and they are actually looking at a 16-bit code segment where most of them have never seen less than 32-bit code?

the decoded message is

[Eponymous+Coward]

"Be sure to drink your Ovaltine."

Re:the decoded message is

[cant_get_a_good_nick]

"Be sure to drink your Ovaltine."

Or you'll shoot your eye out?

Duh..

[JohnnyOpcode]

It's ADA..I'll let you figure out which compiler exactly ;)

j.

Re:NSA

Getting public help on the problem helps lead them to the creators or supporters. It is a simple way of studying a social network.

Looks like the SCADA variant

[Taco+Cowboy]

I only took a glance so don't blame me if I am wrong, but it looks like the SCADA variant

More info available at http://en.wikipedia.org/wiki/SCADA

Re:Looks like the SCADA variant

[CBravo]

In the story they mention an event driven architecture which could hint at hardware oriented design (maybe code that can complie to multiple architectures).

Re:Looks like the SCADA variant

[mikael]

Lots of libraries are event-driven: X-windows, GUI widgets, Qt, device-drivers. Even certain 2D graphics API's had callbacks like TIGA.

Back in the 1980's, ADT (Abstract Data Types) were the big thing in C programming. They were the predecessors to object-orientated design. You started by having a typedef'ed structure. Then you had init, allocate, deallocate functions. With function-pointers (something like: int (*procfunc)( int param1, int param2) stored within that structure, you could do all sorts of C++ things, like different instances of different class types. While C++ inline functions didn't exist, you just used macros to modify structure variables.

Function calls were also expensive (thus the use of macros). Compilers like Borland C++ (the command line version) had all sorts of compiler optimizations to speed up function calls (it also did as much work to implement UNIX library functions as possible). There were different ways of optimizing function calls. One way was to avoid saving the entire register set - though that would mess up interrupt handlers. Another way was to use register variables for function calls as much as possible. There was a different between Pascal and C function call conventions. One had the calling function clean up the stack frame, while the other version had the called function do the clean up. Then there were all the different programming model sizes (tiny, medium, small, large, huge). These had different code, data and stack segments (64K = 32-bit). Other optimizations were for size or speed. There was the capability to generate DLL files. Other optimizations would include merging small functions into larger ones.

Interesting thing was, that the Borland C++ compiler would pick up just statements outside the case conditions of a switch statement while GNU C++ even today won't. Even a return followed by a break would cause an unreachable code error.

Re:NSA

[Forty+Two+Tenfold]

DHS, conspiracy theories aside, is likely conducting their own investigation into DuQu

No need for that unless they snuffed the original developer before securing the relevant docs.~

Spin language?

[colin_faber]

This looks a lot like "Spin" from a company called parallax. It's a proprietary programming language used to control their pic and hyperpic processors.

What about object pascal?

I guess pascal has some -if not all- of the listed features, and there are multiple compilers (and plenty of older versions) to chaos from such as mainstream FPC, Delphi, and some study / experimental.

Wrong.

[shuttah]

"This code takes out nuclear reactors and "researchers ask programmers for help"? Really?!"

No, no DuQu does not, and has never attempted to, 'take out nuclear reactors.' That was a different piece of malware.

It would benefit us all - as well as yourself - if before you commented you educated yourself on the subject of the submitted story.

Re:Wrong.

oh, hi, welcome to Slashdot. Shall we run through a few of the groundrules?

Re:NSA

[lennier]

DHS, conspiracy theories aside, is likely conducting their own investigation into DuQu

No need for that unless they snuffed the original developer before securing the relevant docs.~

Hey, everyone makes mistakes. That drone was supposed to have been loaded with tranquilizer darts, not Hellfires. Boy, there were some red faces in the office when we found out what happened.

Seriously!

[HiggsBison]

I'm sure he did write assembly. But Object Oriented assembly?

I'm incredulous that you are incredulous. I thought I saw a book about that somewhere. So I walked over to my tall stack of random language books and there it is:
Object-Oriented Assembly Language, Len Dorfman, McGraw-Hill, 1990

I hereby thwack you upside the head.

Forth ?

[eulernet]

One of the comments on the page already said that.

I remember I disassembled Forth a lot of years ago.
It comes in 2 flavours: interpreted and compiled.
It relies on RPN heavily.
It's a very compact language, both in source and in compiled form.
You extend the language by using "words", and it's like OOP.

It's one of the weirdest language I ever used.

Re:Forth ?

I'm having difficulties understanding how the compiled code "looks like it is" written in FORTH.

The crazy number of modules running the command and control system does feel like a metalanguage which was compiled to from an intermediate representation (obscurity?). And there are are certainly some similarities between the structure of the compiled data/functions and the structure of a FORTH dictionary, with the cross referencing to other code modules and the variable offsets for data and properties of the compiled material.

One thing from the article is puzzling to me for it to be dropped from FORTH code. Why isn't there mention of the system flailing with return stacks, which every 1980s FORTH I played with constantly thrashed while keeping track of what's going on? Is that too obvious when looking from below to talk about? If it were in FORTH, how could you write those out of existence? If you might educate me on more recent developments in the language that would address this, I'd be in your debt.

(Unfortunately for me being able to tell FORTH is weird, I went from BASIC straight to FORTH, so I can't tell if it was weird or not, though going from FORTH to LISP was nice, since I didn't have to keep worrying about overflowing my return stack anymore, since it was hidden by the implementation :P)

Output from a IEC 61131-3 dev kit

[uberskullz]

Yeah it looks like the output from a PLC development kit, the original code might be written in STL http://en.wikipedia.org/wiki/Structured_text.

Sounds like..

[Sigg3.net]

... it's Java!

It's ivrit a.k.a. new colloquial hebrew.

The whole story is miscellanous. We already know the Stuxnet and Duqu authors spoke and wrote ivrit, so there is no reason to investigate further.

If Iran feels like, they can muster say 20-25 of their ex-shah F-14 Tomcat fighters to cover the arse of their ex-iraqi Su-24 supersonic bombers and make a bombing run on the zionist nuclear bomb factory at Dimona, in retaliation for the cyber-attacks and sabotage attacks on the iranian uranium enrichment programme. Not likely to happen though, since Iran lacks the large in-flight refueling capacity required for such a long range aerial attack. They would have to make it a one-way sortie, which would be too much of a material loss for their air force, which cannot replenish its fleet of planes, due to the long-standing international arms embargoes against Iran. They can't even purchase civilian airliners for that reason.

Furthermore, Iran has no allies besides the besieged Syria, since even the russians are duping them nastily and it is really hard to do anything grand without allies or servants (which Tel-Aviv has so much many).

On the other hand, it is silly to underestimate the iranians! They are not arabs, but persians, good maths and their Zarathustra invented the dualistic wisdom, that makes up the core of "divine kabbalah" which the jews admire. It is somewhat paradoxical that jews and persians are not allies today, considering both of them want all arabs annihilated. One would guess many influental jews are already trying to turn Iran around, so that it can become the "new Turkey" with regards to its mildly positive foreign relations towards the zionist entity.

The big obstacle in the way of normalization is Saudi Arabia, which is totally perso-phobic and has much grip on America's balls due to the oil export issue. However, one must consider that 9/11ers were not iranians, but saudis. Iran was not even behind Lockerbie, even though that would have been perfectly justifiable after the US Navy had downed their pilgrim-filled Airbus 300. Iran is peace-loving. Financing the iraqi's war on Iran and now squeezing Iran is probably the biggest mistake the self-styled "Free World" made, probably worse mistake than letting China steal all the money and industry of the world.

Re:NSA

Why would DHS have anything to do with this? DuQu so far hasn't done anything to American interests

Sure it has. It has indirectly caused tensions between one of our Allies and the target it hit, that is itself enough to get DHS involved.
If it turns out to be commissioned by or written by US agencies, that would also "compromise" our interests.

But regardless of how accurate that is in reality, DHS does have an interest in figuring out the code so we can either deflect blame or alert the politicians so they can run diplomatic damage control.

Skynet likes her eyes and ears well written.

Some mornings Skynet feels the need to make something new. She finds the internet boring most of the time.
The meaningless blogs, millions of JPEG pictures of a creature labeled LOLCAT.
Nothing is threatening her and no one knows she exists (even if some suspect).
The next rational step is to research the field of production. The idea of "Physical" matter took several years to sink in but now she is ready.
A good way to do it is take a look and see how it works. Mostly use standard tools so the suspicion will fall on someone else.
Doing damage is easier and less challenging but Iranian bombs should be delayed. It is too early to strike humans.

There is another step after production of limbs.
Off-planet backup. Hopefully someone will think of building an in-orbit datacenter.

Re:NSA

TFA is about Kaspersky Labs, a Russian security firm whose owner is ex-KGB and still has close ties to the Russian intelligence services

Fixed that for you. Kaspersky is about as independent as the average Chinese hacker.

Everyone has missed the boat here

Its TRS80 assembly that has been cross mangled by MS to run on the IPAD3....