19 March 2012

DuQu Undressed? Mystery Computer Language Revealed

DuQu, an espionage tool that followed in the wake of the infamous Stuxnet code, had been analyzed extensively since its discovery last year. But one part of the code remained a mystery – an essential component of the malware that communicates with command-and-control servers and has the ability to download additional payload modules and execute them on infected machines.

Kaspersky researchers were unable to determine the language in which the communication module was written and published a blog post asking programmers for help. Identification of the language would help them build a profile of DuQu’s authors. _Wired
While other parts of DuQu were written in the C++ programming language and were compiled with Microsoft’s Visual C++ 2008, this part was not. Kaspersky also ruled out Objective C, Java, Python, Ada, Lua or many other languages they knew.

Most commenters who wrote in response to Kaspersky’s plea thought the code was a variant of LISP, but the reader who led them in the right direction was a commenter who identified himself as Igor Skochinsky and wrote in a thread posted to Reddit.com that he was certain the code was generated with the Microsoft Visual Studio Compiler and offered some cogent reasons why he believed this. Two other people who sent Kaspersky direct emails made crucial contributions when they suggested that the code appeared to be generated from a custom object-oriented C dialect — referred to as OO C — using special extensions.

This led the researchers to test various combinations of compiler and source codes over a few days until they found the right combination that produced binary that matched the style in DuQu.

The magic combination was C code compiled with Microsoft Visual Studio Compiler 2008 using options 01 and Ob1 in the compiler to keep the code small.

“Visual C can optimize for speed and it can optimize for size, or it can do some kind of balance between the two,” says Costin Raiu, director of Kaspersky’s Global Research and Analysis Team. “But they wanted obviously the smallest possible size of code” to get it onto victim machines via an exploit.

...The use of object-oriented C to write the event-driven code in DuQu reveals something about the programmers who coded this part of DuQu – they were probably old-school coders, Kaspersky’s researchers say. The programming style is uncommon for malware and is more commonly found in professionally-produced commercial software created ten years ago, Raiu says. The techniques make DuQu stand out “like a gem [from] the large mass of ‘dumb’ malicious program we normally see,” the Kaspersky researchers note.

...DuQu’s programmers might have chosen C because they wanted to make sure that their code could be compiled with any compiler on any platform, suggesting they were thinking ahead to other ways in which their code might be used.

...when you create such a complex espionage tool, you take into account that maybe some day you will run it on servers, maybe you will want to run it on mobile phones or God knows what other devices, so you just want to make sure your code will work everywhere.... _Wired
Small, clean, and versatile...it requires a lot of work and patience to reach the optimal approach to creating such a tool as Duqu. We seem to be looking at professional programmers with experience and savvy. But one can find such programmers in most countries of Europe, North America, East or South Asia, or Oceania.

To narrow the field, one must look at the apparent targets of a particular weapon. Judging by the apparent targets of Duqu so far, China is the best guess for the originators and ongoing master controllers of Duqu.

Labels:

Bookmark and Share

4 Comments:

Blogger Matt M said...

Why the woman undressing? Was that meant for your sex blog?

Tuesday, 20 March, 2012  
Blogger al fin said...

Are you referring to Al Fin, You Sexy Thing!, www.alfin2500.blogspot.com? No, the image relates to the title of the post.

Undressing is usually not a prologue to sex, by the way. Most cases of undressing precede other activities, such as showering, changing to other sets of clothing, or going to an empty or chaste bed.

If my assistant Alice had chosen the image, she would have likely chosen a male exotic dancer stripping, to provide the visual metaphor. Such an image would have more clear sexual overtones, given the association between strippers and sexual favours on the side.

Tuesday, 20 March, 2012  
Anonymous Anonymous said...

My instinct would have been to avoid C++ because you definitely don't want inefficient object oriented programming support. I took a class in C++ but I think I've programmed more in C and my language of choice for everyday things is Java (which is entirely unsuitable for a virus).

Tuesday, 20 March, 2012  
Blogger al fin said...

Good point, Carl.

The full article gave more reasons for choosing C over C++ in a virus.

Wednesday, 21 March, 2012  

Post a Comment

“During times of universal deceit, telling the truth becomes a revolutionary act” _George Orwell

<< Home

Newer Posts Older Posts
``