Slashdot Mirror
Researchers Seek Help In Solving DuQu Mystery Language
An anonymous reader writes "DuQu, the malicious code that followed in the wake of the infamous Stuxnet code, has been analyzed nearly as much as its predecessor. But one part of the code remains a mystery, and researchers are asking programmers for help in solving it. The mystery concerns an essential component of the malware that communicates with command-and-control servers and has the ability to download additional payload modules and execute them on infected machines."
NSA Property, Keep Out.
The mystery code isn't really much of a mystery- it's just how Duqu communicates with the sith lord.
"That's the way to do it" - Punch
I kid, I kid...
Why? Its entirely possible that this snippet of code is a piece of in-line assembly. It may have started out coming from some higher level language, but been tweaked or completely rewritten in assembly and its origin is no longer recognizable.
Have gnu, will travel.
Or even self modifying assembly....
That would be a real pisser to figure out.
Check your premises.
Who would be insane enough to write OO code in assembly?
If I have been able to see further than others, it is because I bought a pair of binoculars.
Of course it has, but that's not the point. There's potentially something unusual here, so if you can work out what language/compiler/linker was used there might be a clue to the identity of the code's author(s). It wouldn't be the first time that a piece of malware has been written in an experimental language developed for educational purposes and seldom, if ever, seen outside that educational establishment. It would only be circumstatial evidence of course, but it's still better than nothing and might help narrow the field enough to get a lead on the authors.
UNIX? They're not even circumcised! Savages!
that's just a guess
but the level these guys are working at here, something well above script kiddie and slightly below elder neckbeard, it seems entirely plausible to me
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
My dad did. Maybe he's behind this. But he was a first generation programmer. Trying to get him to move on from assembly was a pointless endeavor.
"Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
Objective-Brainfuck or Brainfuck with Classes
If you do what you always did, you get what you always got.
Any sucker can tell it was written in Linda.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Actually, I'll reverse the joke and gun for +1 Insightful.
Ready?
Literally why does this story even exist? This code takes out nuclear reactors and "researchers ask programmers for help"? Really?! (Does "Ask" imply they want the answer FREE?!)
So the Dept of Homeland Security is busy helping yank down file share sites and they have no time for this?
Ladies and Gentlemen and AI's, this is your answer to why we're spiralling into a mess.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
DHS, conspiracy theories aside, is likely conducting their own investigation into DuQu, the details of which are unlikely to be shared with the general public. TFA is about Kaspersky Labs, an independently owned security firm, asking for help from the general public.
A compiler takes your high-level language instructions, and generates the many, many low-level instructions it might take to express a given high-level instruction. The thing is, much like there's many ways to write a cover letter for a resume, there's a lot of different ways to do that high->low expression, but a compiler writer is unlikely to bother with more than one way, or maybe a couple others if there's some benefit to doing so.
A person on the other hand, will have all sorts of random variations in what they write. Oh, they'll come up with certain ruts, and have a certain style, but the won't be exactly the same every single time.
Compilers also do useless stuff. For a car analogy, it's kind of like the tow hooks under your bumper--most of the time they aren't used. A person isn't going to bother to put them there if they're not currently needed or they can envision a need for them--a compiler never forgets to put those hooks there, and sometimes puts them there even when it's redundant. Optimization gets rid of that kind of thing, but no compiler is perfect, and they're often conservative.
<xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
My guess is that it's probably erlang. It fits all the descriptions of how erlang works. Erlang is used in all sorts of realtime systems, it wouldn't be a stretch to see that it was used in a virus library. Someone that is in the Telecom or Network infrastructure industry might be familiar with Erlang and that type of person might also be the same type of person that knows enough about networks and network vunerabilities to architect a framework for virus distribution.
Literally why does this story even exist? This code takes out nuclear reactors and "researchers ask programmers for help"? Really?! (Does "Ask" imply they want the answer FREE?!) So the Dept of Homeland Security is busy helping yank down file share sites and they have no time for this?
Why would DHS have anything to do with this? DuQu so far hasn't done anything to American interests (in fact, so far as I can tell, it has helped them). The people in TFA looking at the code are Kaspersky: a Russian anti-virus company. They don't even recognize the language the code is written in, much less how it works, and they are wondering if anyone of the billions of people on the Internet knows (specifically, if it is a a specialized language used in some niche industry or something). If no one does, they can be pretty sure it was a custom created language, and proceed accordingly. They aren't asking for someone to do their work for them: they are saying "hey, this look like anything anyone knows?" DHS might be looking at it too, if they didn't create it: but the story has absolutely nothing whatsoever to do with them, in any way. Not even the same continent.
Also, I don't know where you got "takes out nuclear reactors." Stuxnet did damage to nuclear centrifuges. AFAICT all DuQu seems to be doing is stealing data (private keys, actually). Bad for people who get infected, yes. Not like it is causing nuclear meltdowns or something.
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
That clearly looks like perl to me.
"Be sure to drink your Ovaltine."
I only took a glance so don't blame me if I am wrong, but it looks like the SCADA variant
More info available at http://en.wikipedia.org/wiki/SCADA
Muchas Gracias, Señor Edward Snowden !
I don't understand why they are avoiding this option like the plague. C'mon... practically every compiler compiles its language into assembly and runs that through an assembler for final object code creation. (tho some will then run THAT through an optimizer etc) There's absolutely no reason for them to insist it can't be written in native assembler. I wrote many things for the 6502 that way - if you want it fast and small, that's the way to go.
And sorry, if they have to reverse it back into C++ or some other higher level language to figure out what it does, they're idiots, no better than script kiddies. I don't care of they have ten CS masters degrees. Assembly just takes a little more time to work out, it's not like it's encrypted and they don't have the key.
None of this should come as a surprise to anyone. The authors are black-hats. They make their living on buffer overflows and bug exploitation, they damn well know how to code in assembly, and specifically how to tear it apart and analyze it in fine detail. Why can't these "experts" do that?
I work for the Department of Redundancy Department.
DHS, conspiracy theories aside, is likely conducting their own investigation into DuQu
No need for that unless they snuffed the original developer before securing the relevant docs.~
Hey, everyone makes mistakes. That drone was supposed to have been loaded with tranquilizer darts, not Hellfires. Boy, there were some red faces in the office when we found out what happened.
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
I'm sure he did write assembly. But Object Oriented assembly?
I'm incredulous that you are incredulous. I thought I saw a book about that somewhere. So I walked over to my tall stack of random language books and there it is:
Object-Oriented Assembly Language, Len Dorfman, McGraw-Hill, 1990
I hereby thwack you upside the head.
My other car is a 1984 Nark Avenger.
I think most are missing the point. They probably already know what it does (if they don't, given the effort they have expended, then they are boobs). What they want to do is find what the language was *in order to track down the authors* on the premise that it was some strange language only used in a few places and if they find it, they can narrow the range of likely candidates .
Ok, you and someone on the article both said the same thing, with absolutely nothing to back it up. Care to elaborate? I'm particularly curious how a .NET bytecode executable ends up as baroque machine code as opposed to CLI bytecode like most .NET languages.
Program Intellivision!
Yeah it looks like the output from a PLC development kit, the original code might be written in STL http://en.wikipedia.org/wiki/Structured_text.
Actually looks like the result of a macro assembler module. The MOV functions gives it away. The only reason for doing that is to make it faster or to reduce the code size, not necessarily to obfuscate. The programmer is old school.
Don't be apathetic. Procrastinate!