- Joined
- Mar 8, 2011
- Messages
- 3,282
- Likes
- 316
22/3/2012
Successful decryption of the DLL component responsible for communicating with the command and control servers of the source that sent it
Kaspersky Lab has approached the global development community with a request for assistance in solving the mystery of the DUQU Framework programming language, which was unfamiliar to conventional computer science.
Programmers who attempted to analyze the code encountered an unfamiliar language written in the DLL component - which was responsible for communicating with the command and control server of the source that sent it. According to various sources, the DUQU advanced Trojan that attacked the infrastructure systems in Iran was written by Israel or the US.
After receiving a staggering amount of information and feedback from the development community, the experts at Kaspersky Lab discovered that the mysterious language code was originally comprised of the "C" programming language, and written with Microsoft Visual Studio 2008, through which the structure and size of the code was optimized. The new language was also written with a plug-in that underwent specific suitability in order to match the attacked targets – object-oriented, or OOC.
This "homemade" programming method is very sophisticated and common in civilian software projects, not the various malwares. At this stage, it is still unknown why the DUQU operators (according to various estimates - sources in the US and in Israel) chose to use OOC. However, Kaspersky experts assess that there are two possible reasons: higher level of control over the code itself and a very high level of mobility.
Selecting OOC could provide the operater with better and more reliable control of the code, with a lower probability of bugs and unpredictable behavior.
Before ten or twelve years, C++ had yet to be fully assimilated as a standard, and this language did not have complete interactivity with every compiler. Another advantage lies in the fact that the use of the C programming language provided the DUQU developers with considerable mobility, as this language can connect to all existing platforms, without suitability limitations pertaining to the C++ programming language.
Given these circumstances, its possible to assess that the DUQU framework was written by "old school" veteran developers, seeking to create a language that would be easy to individually adapt, which would support an aggressive platform that is adaptive and flexible in an unparalleled manner.
"It's also possible that the code itself was used in cyber operations in the past, and received new modifications to suit the DUQU Trojan," said Igor Soumenkov, a malware expert at Kaspersky Lab. "However, one thing is certain - these are techniques used by elite developers, which are almost never used in the malicious code industry."
Israel Defense | "We've solved the riddle of the Iranian Trojan Horse"
Successful decryption of the DLL component responsible for communicating with the command and control servers of the source that sent it
Kaspersky Lab has approached the global development community with a request for assistance in solving the mystery of the DUQU Framework programming language, which was unfamiliar to conventional computer science.
Programmers who attempted to analyze the code encountered an unfamiliar language written in the DLL component - which was responsible for communicating with the command and control server of the source that sent it. According to various sources, the DUQU advanced Trojan that attacked the infrastructure systems in Iran was written by Israel or the US.
After receiving a staggering amount of information and feedback from the development community, the experts at Kaspersky Lab discovered that the mysterious language code was originally comprised of the "C" programming language, and written with Microsoft Visual Studio 2008, through which the structure and size of the code was optimized. The new language was also written with a plug-in that underwent specific suitability in order to match the attacked targets – object-oriented, or OOC.
This "homemade" programming method is very sophisticated and common in civilian software projects, not the various malwares. At this stage, it is still unknown why the DUQU operators (according to various estimates - sources in the US and in Israel) chose to use OOC. However, Kaspersky experts assess that there are two possible reasons: higher level of control over the code itself and a very high level of mobility.
Selecting OOC could provide the operater with better and more reliable control of the code, with a lower probability of bugs and unpredictable behavior.
Before ten or twelve years, C++ had yet to be fully assimilated as a standard, and this language did not have complete interactivity with every compiler. Another advantage lies in the fact that the use of the C programming language provided the DUQU developers with considerable mobility, as this language can connect to all existing platforms, without suitability limitations pertaining to the C++ programming language.
Given these circumstances, its possible to assess that the DUQU framework was written by "old school" veteran developers, seeking to create a language that would be easy to individually adapt, which would support an aggressive platform that is adaptive and flexible in an unparalleled manner.
"It's also possible that the code itself was used in cyber operations in the past, and received new modifications to suit the DUQU Trojan," said Igor Soumenkov, a malware expert at Kaspersky Lab. "However, one thing is certain - these are techniques used by elite developers, which are almost never used in the malicious code industry."
Israel Defense | "We've solved the riddle of the Iranian Trojan Horse"
