ID: IRCNE2012031441
Date: 2012-03-27
According to "zdnet", the sections responsible for downloading and executing additional modules in the Duqu Trojan,referred to by some as Stuxnet 2.0, were written in standard C++. Security researchers worked out what the mystery code does, but because they weren’t sure about the syntax, they asked the community for help in identifying the programming language. Over a week later, it turns out the Duqu Framework was written in C code, which was then compiled with MSVC 2008 and options /O1 (minimize size) /Ob1 (expand only __inline).
Kaspersky confirmed the finding by writing C code that, when compiled as described, produces the opcodes identical with the ones in the Duqu binary (an excerpt is pictured above). Changing the order of operations and if/else blocks modifies the resulting code; MSVC 2005 compiler produces slightly different code, too. The firm thus concludes that the resulting binary was compiled with MSVC 2008, with options /O1 /Ob1, and that the input source code was pure C.
This means the code was either written using a custom OO C framework, based on macros or custom preprocessor directives (this is the most common way to combine object-oriented programming with C), or the code was written in OO C manually, without any extensions to the language (technically, it is near impossible to distinguish code written with macro directives from manually copy-pasted code).
Duqu was first detected in September 2011, but Kaspersky Lab believes it has seen the first pieces of Duqu-related malware dating back to August 2007.
- 5