The mystery concerns an essential component of the malware that communicates with command-and-control servers and has the ability to download additional payload modules and execute them on infected machines.
Writing on the Kasperskey Lab SecureList blog, Igor Soumenkov, explained the puzzle and asked for help in solving it:
The Duqu Framework appears to have been written in an unknown programming language. Unlike the rest of the Duqu body, it’s not C++ and it’s not compiled with Microsoft’s Visual C++ 2008. The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages we have checked.
It is possible that the programming language was written especially to create this worm, or it may be written in a specialised language that is specific to a particular industry and not widely known.
Soumenkov and his colleagues are appealing to the programming community, asking for “anyone who recognizes the framework, toolkit or the programming language that can generate similar code constructions” to get in touch.
Identification of the language could help analysts build a profile of DuQu’s authors, particularly if they can tie the language to a group of people known to use this specialized programming language or even to people who were behind its development. [...]
Kaspersky researchers have been analyzing the code and its command-and-control structure on and off for months. In that time, they’ve been unable to determine very much about the language in which DuQu’s communication module is written, except that the language is object-oriented and is highly specialized.
The mysterious module is a key part of Duqu. It allows the worm to steal data from infected machines and transmit it to its command-and-control servers, as well as to infect other machines by distributing additional malicious payloads.
Alexander Gostev, chief security expert at Kaperskey Lab, said that it’s unknown why this part of the worm uses a different language. It might simply be that it was written by a different team who used whichever language was most familiar to them, or that the language itself has useful properties that would make it easier for the malware to achieve its goal. Alternatively, it could have been done simply to fox researchers trying to understand the malware.
Duqu was first discovered by the Budapest University of Technology and Economics in Hungary in September 2011 and is often referred to as the ‘Son of Stuxnet‘, a worm discovered in June 2010 which spreads via Microsoft Windows and targets industrial software and equipment. Five Iranian organisations were targeted by variants of Stuxnet, with the suspected goal of disrupting uranium enrichment infrastructure.
Stuxnet has fascinated security researchers since its discovery, and security experts say it is not only one of the most sophisticated bits of malware ever created but also the world’s first “military-grade cyberweapon”.
Although there is little evidence of who is behind the attack, due to the sophistication and the fact that its deployment real-world intelligence, most experts believe that the US and/or Israel were behind the development of Stuxnet and Duqu.
Duqu is “nearly identical to Stuxnet, but with a completely different purpose” according to Symantec (PDF) and is thought to have been created by the same people who authored Stuxnet.
Duqu, like its sibling, also targets Microsoft Windows computers and looks for information that could be used to attack industrial control systems. Again, its goal appears to be to disrupt Iran’s nuclear program, but it is more focused on espionage than sabotage.
Aug 30, 2014