An appeal for help from the programming community has allowed antivirus analysts to classify the unknown language used to develop key components of the Duqu Trojan. The sections responsible for downloading and executing additional modules in the Duqu Trojan, referred to by some as Stuxnet 2.0, were written in standard C++.
Kaspersky Lab experts now say with a high degree of certainty that the Duqu framework was written using a custom object-oriented extension to C, generally called “OO C” and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) with special options for optimizing code size and inline expansion.
Kaspersky’s Igor Soumenkov wrote, “No matter which of these two variants is true, the implications are impressive. The Payload DLL contains 95 Kbytes of event-driven code written with OO C, a language that has no automatic memory management or safe pointers,”.
Kaspersky’s analysis now concludes:
- The Duqu Framework consists of “C” code compiled with MSVC 2008 using the special options “/O1″ and “/Ob1″
- The code was most likely written with a custom extension to C, generally called “OO C”
- The event-driven architecture was developed as a part of the Duqu Framework or its OO C extension
- The C&C code could have been reused from an already existing software project and integrated into the Duqu Trojan
The Duqu Framework may have been created by a different programming team, since it is unique to Duqu, unlike many parts of Duqu that seem to be directly borrowed from Stuxnet. It’s believed that the developers are old school that don’t trust C++ and that’s probably why they relied on C. Another reason for using OO C is because back in the good old days it was more portable than C++.
Knowing the techniques used to develop the malware allows Kaspersky's researchers to make better guesses about who might be behind the code. Creating Duqu was a major project, so it’s possible that an entirely different team was responsible for creating the Duqu Framework, while others worked on creating drivers and system infection exploits. In this scenario it's even possible that those who created the Duqu framework were ignorant of the real purpose of their work.
Duqu was first detected in September 2011, but Kaspersky Lab believes it has seen the first pieces of Duqu-related malware dating back to August 2007. The Russian security firm also notes Duqu, like Stuxnet before it, is highly targeted and related to Iran’s nuclear program.