Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mystery of Duqu Programming Language Solved

Posted by samzenpus on from the solving-a-mystery dept.

wiredmikey writes "Earlier this month, researchers from Kaspersky Lab reached out to the security and programming community in an effort to help solve a mystery related to 'Duqu,' the Trojan often referred to as 'Son of Stuxnet,' which surfaced in October 2010. The mystery rested in a section of code written an unknown programming language and used in the Duqu Framework, a portion of the Payload DLL used by the Trojan to interact with Command & Control (C&C) servers after the malware infected system. Less than two weeks later, Kaspersky Lab experts now say with a high degree of certainty that the Duqu framework was written using a custom object-oriented extension to C, generally called 'OO C' and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) with special options for optimizing code size and inline expansion."

4 of 97 comments (clear)

  1. Source Code? by deemen · · Score: 3, Insightful

    How did they deduce it was an unknown programming language? By looking at the compiled machine code? How could they tell this wasn't just regular C?

    1. Re:Source Code? by Baloroth · · Score: 4, Insightful

      There are certain characteristics to the way C++ behaves (the manner in which you pass parameters, etc). Mainly, through having looked at lots and lots of code samples, they can say what they expect the compiled code to look like. If they know C++ compiled code looks like x, regular C looks like y, and this looked like z, it can't be C. Essentially, the code did things you simply can't do in C++ or C (even Objective C) by itself. The problem is, that method only allows you to compare to known languages. More details here.

      It's basically like identifying an animal by footprint. Once you know a deer leaves a certain kind of footprint, you can identify more deer by examining footprints. But you can't identify an unknown animal that way: if you haven't seen a given footprint before, you won't know what animal it is, only what general characteristics it has (weight, etc.)

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    2. Re:Source Code? by Sarten-X · · Score: 4, Insightful

      Knowing the language and techniques used can speed up analysis of future variants found, because they'll know what patterns to look for first.

      --
      You do not have a moral or legal right to do absolutely anything you want.
  2. Old-school or new-school? by j33px0r · · Score: 4, Insightful

    FTFA:

    Why did the authors of Duqu use OO C? While there is no easy explanation why OO C was used instead of C++ for the Duqu Framework, Kaspersky experts say there are two reasonable causes that support its use [More control over the code & Extreme portability]. These two reasons indicate that the code was written by a team of experienced ‘old-school’ developers

    Why OO C? Because it worked, because they new how to use it, because they knew it would throw Kaspersky for a loop, because they thought it was cool. There are many many reasons and they do not all have to be logical.

    Kaspersky experts might want to consider that the programming wheel of life may have turned and that what was once old-school is now new-school. Whose to say that the under-estimated script-kiddies cannot grow up to be formidable adults with a whole new bag of tricks?