Duqu Framework's Mystery Language Identified As Custom C

When Kaspersky Labs revealed its analysis of the Duqu Trojan earlier this month they were stumped by a block of code that appeared to be a previously unseen programming language. With the help of the internet, Kaspersky's identified the code, not as a new computer language but rather an old one.

The block of code in question allowed the Duqu Trojan to communicate with its home server and receive updated instructions once it had infiltrated a system. This block of code was dubbed the Duqu Framework. Kaspersky Labs published the block of code and requested suggestions as to what it was from the online security community.

One week and more than 200 replies later, the mystery has been solved. Kaspersky is very confident that the Duqu Framework is written in a custom object-oriented C framework and compiled with MSVC 2008 with options — minimise size and expand only inline — activated.

The practice is likely because either they distrust C++ compilers — which used to much less reliable and often suffered memory-allocation problems — or the program was designed run on a variety of compilers beyond the normal MSVC compiler.

The hacker's preference for C suggests that they are "experienced, 'old-school' developers," according to Igor Soumenkov of Kaspersky. [Secure List]


Comments

    "The hacker’s preference for C suggests that they are “experienced, ‘old-school’ developers,” according to Igor Soumenkov of Kaspersky."

    or they are being taught by a Hannibal Lector type.

      We covered C programming extensively in my Comp Sci degree - the lack of automated memory management meant that we could learn about it ourselves, and as a byproduct learn some nifty ways to overflow the stack. I'm not saying it's a uni kid behind this - just saying, maybe Kaspersky's profile is a little narrow.

    So what this article says is that new anti-virus programs are incapable of detecting virus' made with languages 20 years old?

      I'd say it's suggesting that new anti-viruses are incapable of detecting virus' made more complicated then the AV itself.

Join the discussion!

Trending Stories Right Now