A sophisticated piece of espionage malware with ties to the Stuxnet worm used to disrupt Iran’s nuclear program was probably authored by an experienced team of “old school” professional developers, researchers from antivirus provider Kaspersky said.
They drew that conclusion after seeking the help of researchers and software developers around the world in identifying the programming language used to develop one part of the Duqu malware. Systems infected with Duqu used the mystery module to receive instructions from command-and-control servers. It didn’t rely on C++ as most of the other Duqu modules did, and the Kaspersky researchers were also able to rule out the use of Objective C, Java, Python, Ada, Lua and several other languages.
In the weeks following the request for help, the Kaspersky researchers received more than 200 blog comments and more than 60 e-mails that helped fill in the blanks. Among them were comments included in this post on Reddit by someone identified as Igor Skochinsky who said the mystery code looked similar to that derived from object-oriented frameworks for the C programming language. Other readers soon concluded it was generated from a custom object-oriented C dialect that is usually referred to as OO C.
The most likely reason for the choice was the Duqu developers’ mistrust of C++ compilers, which in older days often suffered from memory-allocation problems that caused indirect execution. The malware authors also seemed to be influenced by the desire for their code to work with multiple compilers, including Watcom C++ rather than just the one provided in Microsoft’s Visual Studio package.
“Both reasons appear to indicate the code was written by a team of experienced, ‘old-school’ developers,” Kaspersky Lab expert Igor Soumenkov wrote in a blog post published on Monday. He went on to say the chunk of code was written in pure C and compiled with Microsoft Visual Studio Compiler 2008 using the “/O1″ and “/Ob1″ special options. He also said the CC code may have been reused from an already existing software project and integrated into Duqu.
“All the conclusions above indicate a rather professional team of developers, which appear to be reusing older code written by top ‘old school’ developers,” he continued. “Such techniques are normally seen in professional software and almost never in today’s malware. Once again, these indicate that Duqu, just like Stuxnet, is a ‘one of a kind’ piece of malware which stands out like a gem from the large mass of ‘dumb’ malicious program we normally see.”
View full post on National Cyber Security » Virus/Malware/Worms
