Mystery of Duqu Deepens As Researchers Ponder Unknown Programming Language

2012-03-08T19:02:38
ID THREATPOST:F08C97C7B435EB4AE7CEE878B3B57846
Type threatpost
Reporter Brian Donohue
Modified 2013-04-17T20:05:38

Description

Segments of code within the mysterious information stealing trojan, Duqu, seem to have been written in an unknown programming language according to a new report from Securelist.

Kaspersky Lab Expert, Igor Soumenkov claims that Duqu’s payload DLL initially looked like standard Windows executable, but it turns out that it is actually derived from several “slices” of code. These slices appear to have been created in separate object files and later compiled into a single DLL.

Most of the slices of code can be found in any standard C++ program. The largest slice, however, which Soumenkov refers to as the Duqu Framework, is used to create the command and control function and was created using a programming language nobody has ever seen before. Soumenkov describes it as an object-oriented language, but one that contains no references to C++ functions, and doesn’t match any other high level programming or scripting language like C++, Objective C, Java, Python, Ada or Lua.

The way in which the Duqu authors implemented their code is distinctive, also, Kaspersky researchers found. Everything within Duqu is wrapped in objects, researchers found. The function table has been placed in the class instance and is modifiable after construction. There’s no distinction between utility classes and user-written code, and objects communicate using method calls, deferred execution queues, and event-driven callbacks. There are no references to run-time library functions, with native Windows API calls used instead.The net effect of these unusual features is a modular architecture that can be used under pretty much any conditions, including asynchronous commutations.

Duqu’s size indicates that possibility that one team designed the framework while another was responsible for the drivers, system infection, and exploits.

You can read a more thorough and technical analysis of the Duqu Framework and also throw in your two cents regarding the mystery language here.