Duqu Framework’s Mystery Language Identified As Custom C

Duqu Framework’s Mystery Language Identified As Custom C

When Kaspersky Labs revealed its analysis of the Duqu Trojan earlier this month they were stumped by a block of code that appeared to be a previously unseen programming language. With the help of the internet, Kaspersky’s identified the code, not as a new computer language but rather an old one.

The block of code in question allowed the Duqu Trojan to communicate with its home server and receive updated instructions once it had infiltrated a system. This block of code was dubbed the Duqu Framework. Kaspersky Labs published the block of code and requested suggestions as to what it was from the online security community.

One week and more than 200 replies later, the mystery has been solved. Kaspersky is very confident that the Duqu Framework is written in a custom object-oriented C framework and compiled with MSVC 2008 with options — minimise size and expand only inline — activated.

The practice is likely because either they distrust C++ compilers — which used to much less reliable and often suffered memory-allocation problems — or the program was designed run on a variety of compilers beyond the normal MSVC compiler.

The hacker’s preference for C suggests that they are “experienced, ‘old-school’ developers,” according to Igor Soumenkov of Kaspersky. [Secure List]