Duqu Decoded: Was Trojan Built by 'Old School' Programmers?

By Surojit Chatterjee | March 20 2012 1:15 PM

With the help of programmers worldwide, Kaspersky researchers were finally able to identify the Duqu Trojan's mystery code. Part of the malware was created with a little used programming language, which prompts researchers to believe it may have been written by experienced, old-school programmers. The Duqu Trojan is an espionage tool that drew lots of attention last year because it has many Stuxnet-like features.

Sponsorship Link

Duqu, Created by Old-School Programmers

In a blog post on Monday, March 19, Kaspersky security researcher Igor Soumenkov said the malware's command and control (C&C) component seems to have been developed using a rather archaic custom extension to the C programming language - Object Oriented C (OO C). Most of Duqu was written in the C++ language and compiled with Microsoft Visual C++ 2008. However the C&C module was written in pure C and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008). Two specific options were used to keep the code small.

Based on the choice of language, researchers believe that at least some Duqu developers started programming when Assembler was the language of choice, then moved to C when it gained more popularity. When C++ was published, many old school programmers preferred to stay away from it because of distrust, said Soumenkov.

Closely Related to the Stuxnet Virus

The remote access Duqu Trojan, created to steal data from industrial control systems, was discovered by the Laboratory of Cryptography and Systems Secority (CrySys) in Budapest, last November. Because it is closely related to the Stuxnet virus that disrupted operations at Iran's Natanz nuclear facility on 2010, Duqu attracted lots of attention worldwide. Moreover, many researchers are considering the option that the two pieces of malware may have been written by the same group, however with slightly different goals in mind.

Work of Professionals

While the Stuxnet virus was designed to physically damage industrial control equipment, Duqu was designed to steal data from such control systems and use it to attack them later. There are different opinions regarding the severity of the threat Duqu poses, but many researchers agree that the malware may be created by well-funded, sophisticated and likely government-supported professional hackers.

Such techniques are normally seen in professional software and almost never in today's malware, said Soumenkov. The complex manner in which the code was created indicates that Duqu, like Stuxnet, is a 'one of a kind' piece of malware which stands out like a gem from the large mass of 'dumb' malicious program we normally see, added the researcher.

(reported by Alexandra Burlacu, edited by Surojit Chatterjee)