By 16 March 2012 | Categories: news


It’s not often that you get a call for help from one of the largest anti-virus companies in the world, but an unknown programming language used in the Duqu Trojan has Kaspersky Lab stumped.
Duqu is a sophisticated Trojan and according to Kaspersky, it was created by the same people who created the infamous Stuxnet worm. Its main purpose is to act as a backdoor into the system and facilitate the theft of private information.
Duqu was first detected in September 2011, but according to Kaspersky Lab data, the first trace of Duqu-related malware dates back to August 2007. The company’s experts have recorded over a dozen incidents involving Duqu, with the vast majority of victims located in Iran.
An analysis of the victim organisations’ activities and the nature of the information targeted by the Duqu authors pointed to an interesting conclusion. It clearly suggest the main goal of the attacks was to steal information about industrial control systems used in a number of industries as well as gathering intelligence about the commercial relations of a whole range of Iranian organisations.
The mystery
The big unsolved mystery of the Duqu Trojan relates to how the malicious program was communicating with its Command and Control (C&C) servers once it infected a victim’s machine. The Duqu module that was responsible for interacting with the C&Cs is part of its Payload DLL. After a comprehensive analysis of the Payload DLL, Kaspersky Lab researchers have discovered that a specific section inside the Payload DLL, which communicates exclusively with the C&Cs, was written in an unknown programming language. Kaspersky Lab researchers have named this unknown section the “Duqu Framework.”
Unlike the rest of Duqu, the Duqu Framework is not written in C++ and it's not compiled with Microsoft's Visual C++ 2008. It is possible that its authors used an in-house framework to generate intermediary C code, or they used another completely different programming language. However, Kaspersky Lab researchers have confirmed that the language is object-oriented and performs its own set of related activities that are suitable for network applications.
The language in the Duqu Framework is highly specialised. It enables the Payload DLL to operate independently of the other Duqu modules and connects it to its dedicated C&C through several paths including Windows HTTP, network sockets and proxy servers. It also allows the Payload DLL to process HTTP server requests from the C&C directly, stealthily transmits copies of stolen information from the infected machine to the C&C, and can even distribute additional malicious payload to other machines on the network, which creates a controlled and discreet form of spreading infections to other computers.
A full description of the analysis and its related data can be found at Securelist, Kaspersky Lab’s research site.
“Given the size of the Duqu project, it’s possible that an entirely different team was responsible for creating the Duqu Framework as opposed to the team which created the drivers and wrote the system infection exploits,” said Alexander Gostev, chief security expert at Kaspersky Lab.
“With the extremely high level of customisation and exclusivity that the programming language was created with, it is also possible that it was made not only to prevent external parties from understanding the cyber-espionage operation and the interactions with the C&Cs, but also to keep it separate from other internal Duqu teams who were responsible for writing the additional parts of the malicious program.”
Significant financial and labour resources behind it
According to Gostev, the creation of a dedicated programming language demonstrates just how highly skilled the developers working on the project are, and points to the significant financial and labour resources that have been mobilised to ensure the project is implemented.
Kaspersky Lab has made an appeal to the programming community and ask anyone who recognises the framework, toolkit or the programming language that can generate similar code constructions, to please contact its experts.
The full version of the Duqu Framework analysis by Igor Soumenkov and Costin Raiu can be found on Securelist.


Magazine Online is South Africa's leading magazine for tech product reviews, tech news, videos, tech specs and gadgets.
Start reading now >
Download latest issue

Have Your Say

What new tech or developments are you most anticipating this year?
New smartphone announcements (3 votes)
Technological breakthroughs (6 votes)
Launch of new consoles, or notebooks (6 votes)
Innovative Artificial Intelligence solutions (3 votes)
Biotechnology or medical advancements (7 votes)
Better business applications (1 votes)