Duqu Trojan contains mystery programming language in Payload DLL

By on March 9, 2012, 4:00 PM

Experts at Russian computer security company Kaspersky have come to the conclusion that parts of the Duqu Trojan are written in an unknown programming language. Much of the code is identified as standard C++ but the team is clueless as to the origin of other segments and is asking the programming community for assistance.

Duqu borrows heavily from another high-profile security threat, Stuxnet, with some even referring to it as Stuxnet 2.0. The code in question is part of the Payload DLL, a section of the trojan that sends and receives instructions from an outside source once it has infiltrated a system. It is object-oriented but otherwise unlike anything the team at Kaspersky has seen before.

Experts have dubbed this portion of code the Duqu Framework and based on the sheer complexity of the instructions, it’s believed that the trojan is funded by a wealthy organization or a national effort.

“With the extremely high level of customization and exclusivity that the programming language was created with, it is also possible that it was made not only to prevent external parties from understanding the cyber-espionage operation and the interactions with the C&Cs, but also to keep it separate from other internal Duqu teams who were responsible for writing the additional parts of the malicious program,” said Alexander Gostev, chief security expert at Kaspersky.

Igor Soumenkov from Kaspersky has authored a blog post detailing information on the Duqu Framework and asking those in the programming community to help identify the mystery code. This is what the team has concluded thus far.

  • The Duqu Framework appears to have been written in an unknown programming language.
  • Unlike the rest of the Duqu body, it's not C++ and it's not compiled with Microsoft's Visual C++ 2008.
  • The highly event driven architecture points to code which was designed to be used in pretty much any kind of conditions, including asynchronous commutations.
  • Given the size of the Duqu project, it is possible that another team was responsible for the framework than the team which created the drivers and wrote the system infection and exploits.
  • The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages we have checked.
  • Compared to Stuxnet (entirely written in MSVC++), this is one of the defining particularities of the Duqu framework.

Those with any insight are encouraged to submit a comment on the blog post.




User Comments: 41

Got something to say? Post a comment
Lurker101 said:

Maybe it's just Google's fun way of releasing DART to the public

R3DP3NGUIN R3DP3NGUIN said:

An unknown programming language?, would it be that far-fetch to think maybe the defense/ government is involved. I mean if you think how they manipulate wars they can do the same for the cyber world. Creating a Virus that could take down major nations (which ironically target the likes of Iran or Iraq .etc.) could give the government an excuse for tightening Internet regulations (which they are already trying to do).

that's just my 2 cents.

Guest said:

Oh wow I never thought I would see the day programming experts would not know what language something is written in, it could be a new code the coders developed to keep certain contents hidden? only a suggestion but heck it could be possible.

lipe123 said:

Wait the picture in the article is supposed to be this unknown mystery code?

thats just assembly language, we used that kind of thing in computer class in 1995 already to get things like mouse pointer locations etc.

It's seriously old school and will only run on OS'es that allows hardware access.

Guest said:

Yeah, woulda been nice if they'd identified that as a stock photo (unless there's actually a little assembler in Duqu). In any case, the unknown language and high-level effort points directly to China.

Guest said:

It looks like this

http://en.wikipedia.org/wiki/High_Level_Assembly

and it propably is in some way..

Guest said:

It does look like assembly. I took a class on it a couple of years ago. Perhaps what they mean is what language was it written in before being converted to machine instructions? They are reverse engineering it after all, I doubt they have the source lol

Guest said:

Not sure about the code? There's a logical explanation for all this.

ANCIENT ALIENS.

Guest said:

just a little hand coded assembly

Guest said:

similar to Assembly

Guest said:

It's decompiled version of virus, turned into assembly code you scientists, assembly isn't the language used to program. Most of the code is written in C++ language, but there is a part of code which is written with an unknown/home made programming language (mix of Lisp and C++) and linked to the rest of the code; That's what they are trying to figure out already to know how the virus behaves there -_-

yorro said:

Lurker101 said:

Maybe it's just Google's fun way of releasing DART to the public

I thought Dart was similar to java script ?

Guest said:

Uninformed commenters, cowboy up!

Guest said:

assembly language with a java twist. keep the virtual machine server side.

Guest said:

If that picture is the code, that's just some Assembly, looks like x86 to me.

VitalyT VitalyT said:

I've been programming in assembler for many years, and that piece of code does not appear to me anything out of ordinary. Such should compile in MASM without any problem.

And making statements that it wasn't written in C++ or other languages on the list is not well thought out. The truth is, many C++ implementations support inline assembler extensions and overrides. And Microsoft C++ is especially so, one can override and implement in assembler anything within C++ framework. Even .NET allows that in part!

So what's all the noise about and government conspiracy nonsense again?

Guest said:

Mystery programming language? That looks like assembly language. Is everyone so young that they have not heard of or used assembly language? Or am I that old that I am one of the few people left that have programmed in assembly language? ;)

Guest said:

Caveat: I am an old (retired) geek who used to play with machine code and assembly language. Not for anything practical or useful, just to see if it could be done ("untainted by practical application").

This is funny. I know I have written some strange programs in my time and I seem to remember my first evaluation where my boss noted that my code, "appears to have been written in an unknown programming language." The reference in the comments about a secret government program makes old geeks empathize even more with Myron Aub in Asimov's "The Feeling of Power". (Google it)

/tdw/

Guest said:

Yes, congratulations, you are indeed looking at assembler language - which is how any sane person would be looking at reverse engineered code - that does not identify the language it was written in. I hope you're all 15 years old, because the lack of thought in these comments is disturbing.

marinkvasina marinkvasina said:

Um why do u people think that u know better than the kaspersky team? If its some random coding language they would have figured it out by now.

3DCGMODELER 3DCGMODELER said:

Its a new code, a new language..

thats all..

Guest said:

If they wanted to get your opinion about this strange, new, wonderful, exotic language. Then they should shown us the code instead of showing us assembly. Besides, I know coders who compile to c++ to assembly \, then tweak the assembly.

Guest said:

To everyone who says "Looks like assembly to me, I know cause I'm l33tz0rs." Please just stop.

1) Compiled languages (such as C and C++) are converted into machine code when compiled. Once this step is complete, a true and accurate picture of the original code is no longer retrievable due to compiler optimizations.

2) Reverse engineering an executable is usually done by converting the machine code into assembly since assembly is usually one-to-one (one machine instruction = one line of code, although this is not always true).

3) When compiling code, a compiler goes through a well defined list of steps. This produces machine instructions that have a noticeable pattern. By looking at the pattern of the assembly instructions, one can generally get an idea of what language the original code was written in due to the patterns produced by following a list of steps.

So yeah... please stop.

Guest said:

hmmm... that looks like a sandboxed function written in http://en.wikipedia.org/wiki/Brain**** compiler... /s

Guest said:

really? ASM part is obvious. the commands used are NOT pure ASM. this is the mystery part.

Jyrkz said:

what i see here are 2 things,

1. Lot of ppl think there h4xx0rz cause they know its assembler. (im just a PC fan, very little coding is known to me. and i just dont care.

2. the new code, that shows ppl are still growing and learning ;D

Opus Opus said:

That's really awkward looking compilation... As a MSCS I know that it's ASM but haven't seen this kinda weird translation. Truly, complicated but still these are few lines. Full code would make much more sense. It's not any C++ complier that I know of. May be CPP + F# and or LISP, therefore a new framework customized for the coding teams.

Guest said:

Of course it's assembler, retards. The program itself is always 'written' in a code that is readable by a computer. What the guy from Kasperky is trying to say is that the language used to write Duqu (which was then compiled into assembler or whatever) is unknown.

Guest said:

This is indeed a mysteriously looking language, but it definitely has some elements of English in it. I recognize many words - "move", "push", "stop" etc. No wonder Russians don't understand it.

Guest said:

Unknown LOL... it's 100% know. It's obviously assembly. Wow who said it was unknown again... jesus.

Guest said:

I'm sure those are the first few lines of assembly a team at Kaspersky Labs that specializes in code disassembly has ever seen.... You guys for real ?

TFA indirectly stated that "some segments disassemble into an unknown type of machine code sequence". Who said anything about mass conspiracies and aliens ? I'm pretty sure that wasn't the author's intention and that our minds are just to tense and tend to jump to conclusions too quickly in a world where stupidity knocks at the door all too often.

Guest said:

Do you guys even read the comments before you post? Of course it's in assembly.. that's what language it was reverse-engineered into you dolts.

Guest said:

Reminds me of Forth actually.

Guest said:

Since secret services have so many IT geniuses as employes don't you think one of them could easily create a new programming language for the exact purpose of developing this kind of viruses/trojans ?

Guest said:

From the article, I am understanding that what is in the picture is the compiled version of the code. I guess different programming languages have certain characteristics when compiled, and this assembly code doesn't match any of them.

Guest said:

LOL... the pic shows the trojan binary disassembled. Although clueless, you might accidently be onto something anyway. The code might simply be written by assembly by a disiplined oop programmer.

Guest said:

I originally thought that this was obviously assembled C++, especially with the "call new" (calling C++'s new operator), but when I tested it out on my machine I remembered that C++ uses name mangling, so for example:

int* num1 = new int(15); // the code I tested

resulted int:

call _Znwj ; not "call new" as I originally expected

Any how, if they made up their own language then why are you trying to figure out what language it was written in? isn't the answer obviously "a new one"?! People write their own languages all the time, I could go write my own right now (though it would suck).

For clarity, compiled languages such as C and C++ are first compiled into assembly, assembled into machine code, and linked to created an executable. If you think C/C++ are compile into machine code you're retarded.

Guest said:

yeah. dart is similar to java script . exactly as in lisp + c++

Guest said:

That's not the source code... everyone stop saying its assembly... of course it's assembly, because no one has the source code.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.