Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Programmers Assist In Identifying Duqu Code Block

Kaspersky Lab UK : 20 March, 2012  (Technical Article)
The mysterious programming language used in the Duqu Framework section of the malware has now been identified
Programmers Assist In Identifying Duqu Code Block
Kaspersky Lab recently appealed to the programming community for assistance in solving one of the biggest mysteries of the Duqu Trojan; identifying an unknown code block located inside a section of the malicious program’s Payload DLL. The unknown code section, titled the “Duqu Framework”, was a portion of the Payload DLL that was responsible for interacting with the Command & Control (C&C) servers after the Trojan infected a victim’s machine.

After receiving an incredible amount of helpful feedback from the programming community, Kaspersky Lab experts have stated with a high degree of certainty that the Duqu Framework consists of “C” source code compiled with Microsoft Visual Studio 2008 and special options for optimising code size and in-line expansion. The code was also written with a customised extension for combining object-oriented programming with C, generally referred to as “OO C.”

This kind of in-house programming is highly sophisticated and more commonly found in complex ‘civil’ software projects, rather than contemporary malware.

While there is no easy explanation as to why OO C was used instead of C++ for the Duqu Framework, there are two reasonable causes that support its use:

* More control over the code: When C++ was published, many ‘old school’ programmers preferred to stay away from it because of distrust in memory allocation and other obscure language features which cause indirect execution of code. OO C provides a more reliable framework with less opportunity for unexpected behaviour.

* Extreme portability: About 10-12 years ago, C++ was not entirely standardised and it was possible to have C++ code that was not interoperable with every compiler. Using C provides programmers with extreme portability since it’s capable of targeting every existing platform at any time without facing the limitations associated with C++.

“These two reasons indicate that the code was written by a team of experienced ‘old-school’ developers who wanted to create a customised framework to support a highly flexible and adaptable attack platform. The code could have been reused from previous cyber-operations and customised to integrate into the Duqu Trojan,” said Igor Soumenkov, Kaspersky Lab malware expert. “However, one thing is certain: these techniques are normally seen by elite software developers and almost never in today’s general malware.”

Kaspersky Lab would like to thank everyone who participated in the quest to help identify this unknown code.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo