Duqu Trojan contains mystery programming language in Payload DLL

Shawn Knight

Posts: 15,256   +192
Staff member

Experts at Russian computer security company Kaspersky have come to the conclusion that parts of the Duqu Trojan are written in an unknown programming language. Much of the code is identified as standard C++ but the team is clueless as to the origin of other segments and is asking the programming community for assistance.

Duqu borrows heavily from another high-profile security threat, Stuxnet, with some even referring to it as Stuxnet 2.0. The code in question is part of the Payload DLL, a section of the trojan that sends and receives instructions from an outside source once it has infiltrated a system. It is object-oriented but otherwise unlike anything the team at Kaspersky has seen before.

kaspersky duqu trojan programming language

Experts have dubbed this portion of code the Duqu Framework and based on the sheer complexity of the instructions, it’s believed that the trojan is funded by a wealthy organization or a national effort.

“With the extremely high level of customization and exclusivity that the programming language was created with, it is also possible that it was made not only to prevent external parties from understanding the cyber-espionage operation and the interactions with the C&Cs, but also to keep it separate from other internal Duqu teams who were responsible for writing the additional parts of the malicious program,” said Alexander Gostev, chief security expert at Kaspersky.

Igor Soumenkov from Kaspersky has authored a blog post detailing information on the Duqu Framework and asking those in the programming community to help identify the mystery code. This is what the team has concluded thus far.

  • The Duqu Framework appears to have been written in an unknown programming language.
  • Unlike the rest of the Duqu body, it's not C++ and it's not compiled with Microsoft's Visual C++ 2008.
  • The highly event driven architecture points to code which was designed to be used in pretty much any kind of conditions, including asynchronous commutations.
  • Given the size of the Duqu project, it is possible that another team was responsible for the framework than the team which created the drivers and wrote the system infection and exploits.
  • The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages we have checked.
  • Compared to Stuxnet (entirely written in MSVC++), this is one of the defining particularities of the Duqu framework.

Those with any insight are encouraged to submit a comment on the blog post.

Permalink to story.

 
An unknown programming language?, would it be that far-fetch to think maybe the defense/ government is involved. I mean if you think how they manipulate wars they can do the same for the cyber world. Creating a Virus that could take down major nations (which ironically target the likes of Iran or Iraq .etc.) could give the government an excuse for tightening Internet regulations (which they are already trying to do).

that's just my 2 cents.
 
Oh wow I never thought I would see the day programming experts would not know what language something is written in, it could be a new code the coders developed to keep certain contents hidden? only a suggestion but heck it could be possible.
 
Wait the picture in the article is supposed to be this unknown mystery code?

thats just assembly language, we used that kind of thing in computer class in 1995 already to get things like mouse pointer locations etc.
It's seriously old school and will only run on OS'es that allows hardware access.
 
Yeah, woulda been nice if they'd identified that as a stock photo (unless there's actually a little assembler in Duqu). In any case, the unknown language and high-level effort points directly to China.
 
It looks like this

http://en.wikipedia.org/wiki/High_Level_Assembly

and it propably is in some way..
 
It does look like assembly. I took a class on it a couple of years ago. Perhaps what they mean is what language was it written in before being converted to machine instructions? They are reverse engineering it after all, I doubt they have the source lol
 
Not sure about the code? There's a logical explanation for all this.

ANCIENT ALIENS.
 
It's decompiled version of virus, turned into assembly code you scientists, assembly isn't the language used to program. Most of the code is written in C++ language, but there is a part of code which is written with an unknown/home made programming language (mix of Lisp and C++) and linked to the rest of the code; That's what they are trying to figure out already to know how the virus behaves there -_-
 
assembly language with a java twist. keep the virtual machine server side.
 
If that picture is the code, that's just some Assembly, looks like x86 to me.
 
I've been programming in assembler for many years, and that piece of code does not appear to me anything out of ordinary. Such should compile in MASM without any problem.

And making statements that it wasn't written in C++ or other languages on the list is not well thought out. The truth is, many C++ implementations support inline assembler extensions and overrides. And Microsoft C++ is especially so, one can override and implement in assembler anything within C++ framework. Even .NET allows that in part!

So what's all the noise about and government conspiracy nonsense again?
 
Mystery programming language? That looks like assembly language. Is everyone so young that they have not heard of or used assembly language? Or am I that old that I am one of the few people left that have programmed in assembly language? ;)
 
Caveat: I am an old (retired) geek who used to play with machine code and assembly language. Not for anything practical or useful, just to see if it could be done ("untainted by practical application").

This is funny. I know I have written some strange programs in my time and I seem to remember my first evaluation where my boss noted that my code, “appears to have been written in an unknown programming language.” The reference in the comments about a secret government program makes old geeks empathize even more with Myron Aub in Asimov’s “The Feeling of Power”. (Google it)
/tdw/
 
Yes, congratulations, you are indeed looking at assembler language - which is how any sane person would be looking at reverse engineered code - that does not identify the language it was written in. I hope you're all 15 years old, because the lack of thought in these comments is disturbing.
 
If they wanted to get your opinion about this strange, new, wonderful, exotic language. Then they should shown us the code instead of showing us assembly. Besides, I know coders who compile to c++ to assembly \, then tweak the assembly.
 
To everyone who says "Looks like assembly to me, I know cause I'm l33tz0rs." Please just stop.

1) Compiled languages (such as C and C++) are converted into machine code when compiled. Once this step is complete, a true and accurate picture of the original code is no longer retrievable due to compiler optimizations.

2) Reverse engineering an executable is usually done by converting the machine code into assembly since assembly is usually one-to-one (one machine instruction = one line of code, although this is not always true).

3) When compiling code, a compiler goes through a well defined list of steps. This produces machine instructions that have a noticeable pattern. By looking at the pattern of the assembly instructions, one can generally get an idea of what language the original code was written in due to the patterns produced by following a list of steps.

So yeah... please stop.
 
hmmm... that looks like a sandboxed function written in http://en.wikipedia.org/wiki/Brain**** compiler... /s
 
Back