Duqu trojan built by 'old school' programmers, Kaspersky says

Researcher cites choice of Object Oriented C programming language for critical Duqu component

The use of a little used programming language to create part of the the Duqu trojan, an espionage tool that last year attracted lots of attention for its many Stuxnet-like features, indicates that it may have been written by experienced, old school programmers, a security researcher at Kaspersky Labs said Monday.

In a blog post today, Kaspersky security researcher Igor Soumenkov said Duqu's command and control (C&C) component appears to have been developed using Object Oriented C (OO C), a somewhat archaic custom extension to the C programming language.

While most of Duqu was written in the C++ language and compiled with Microsoft's Visual C++ 2008, the C&C module was written in pure C and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) using two specific options to keep the code small.

The choice of language suggests that at least some Duqu developers started programming at a time when Assembler was their language of choice and then moved to C when it became more fashionable, Soumenkov said.

"When C++ was published, many old school programmers preferred to stay away from it because of distrust," he added.

Duqu , a remote access Trojan created to steal data from industrial control systems, was discovered last November by the Laboratory of Cryptography and Systems Security (CrySys) in Budapest. The malware attracted considerable attention because of similarities to the Stuxnet virus that disrupted operations at Iran's Natanz nuclear facility in 2010.

Many researchers have speculated that the two pieces of malware may have been written by the same authors, though with slightly different goals in mind.

Stuxnet was designed to physically damage industrial control equipment while Duqu was designed mostly to steal data from industrial control systems in order to attack them later.

Though opinions about the severity of the threat posed by Duqu varied, many researchers considered the malware to be the work of sophisticated, well-funded, and likely government-supported, hackers.

Earlier this month, Soumenkov said in a blog post that Kaspersky Labs had found an interesting anomaly in a component of Duqu that was used to communicate with command and control servers -- unlike the rest of Duqu, it was not written in C++ and was not compiled using Visual C++ 2008.

"The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages we have checked," Soumenknov had noted. In the post, Soumnenkov asked for help identifying frameworks, toolkits or programming languages that could generate such Duqu-like code.

The request elicited more than 200 comments and over 60 emails from other programmers citing language, including Forth, Erlang, Delphi, OO C and variants of LISP, that could have been used, Soumenkov said.

Three comments and two emails, including one from an anonymous source, helped Kaspersky determine that the code was developed using pure C compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008), he said.

Developers of the Duqu Trojan appear to have reused older code written by top notch 'old school" programmers," Soumenkov noted.

"Such techniques are normally seen in professional software and almost never in today's malware," he said. The manner in which the code was developed suggests that Duqu, like Stuxnet, "is a 'one of a kind' piece of malware which stands out like a gem from the large mass of 'dumb' malicious program we normally see."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about security in Computerworld's Security Topic Center.

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)