Mystery of Duqu Programming Language Solved 97
wiredmikey writes "Earlier this month, researchers from Kaspersky Lab reached out to the security and programming community in an effort to help solve a mystery related to 'Duqu,' the Trojan often referred to as 'Son of Stuxnet,' which surfaced in October 2010. The mystery rested in a section of code written an unknown programming language and used in the Duqu Framework, a portion of the Payload DLL used by the Trojan to interact with Command & Control (C&C) servers after the malware infected system. Less than two weeks later, Kaspersky Lab experts now say with a high degree of certainty that the Duqu framework was written using a custom object-oriented extension to C, generally called 'OO C' and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) with special options for optimizing code size and inline expansion."
Source Code? (Score:4, Insightful)
Re:Source Code? (Score:5, Insightful)
There are certain characteristics to the way C++ behaves (the manner in which you pass parameters, etc). Mainly, through having looked at lots and lots of code samples, they can say what they expect the compiled code to look like. If they know C++ compiled code looks like x, regular C looks like y, and this looked like z, it can't be C. Essentially, the code did things you simply can't do in C++ or C (even Objective C) by itself. The problem is, that method only allows you to compare to known languages. More details here [securelist.com].
It's basically like identifying an animal by footprint. Once you know a deer leaves a certain kind of footprint, you can identify more deer by examining footprints. But you can't identify an unknown animal that way: if you haven't seen a given footprint before, you won't know what animal it is, only what general characteristics it has (weight, etc.)
Re:Source Code? (Score:5, Insightful)
Old-school or new-school? (Score:4, Insightful)
FTFA:
Why did the authors of Duqu use OO C? While there is no easy explanation why OO C was used instead of C++ for the Duqu Framework, Kaspersky experts say there are two reasonable causes that support its use [More control over the code & Extreme portability]. These two reasons indicate that the code was written by a team of experienced ‘old-school’ developers
Why OO C? Because it worked, because they new how to use it, because they knew it would throw Kaspersky for a loop, because they thought it was cool. There are many many reasons and they do not all have to be logical.
Kaspersky experts might want to consider that the programming wheel of life may have turned and that what was once old-school is now new-school. Whose to say that the under-estimated script-kiddies cannot grow up to be formidable adults with a whole new bag of tricks?
Re:Source Code? (Score:2, Insightful)
Here is an perfect example -- a friend of mine was taking a CS course and the assembly code the prof provided was absolute shit -- a perfect example of how to NOT write code. I cleaned up the assembly code into a properly commented assembly and then provided a mid-level source. By having the 3 versions to compare against my friend was able to get a better handle on reading and writing assembly code, understanding how a compiler would translate a mid-level language to a low level language, learn some good commenting styles, etc.
First, the original crap assembly provided by the Prof:
0000 RD R5 Inpt
0004 MOVI R6 0
0008 MOVI R1 0
000C MOVI R0 0
0010 LDI R10 Inpt
0014 LDI R13 Temp
0018 LOOP1: ADDI R10 4
001C RD R11 (R10)
0020 ST (R13) R11
0024 ADDI R13 4
0028 ADD I R6 1
002C SLT R8 R6 R5
0030 BNE R8 R1 LOOP1
0034 MOVI R6 0
0038 LDI R9 Temp
003C LOOP2: LW R7 0(R9)
0040 ADD R0 R0 R7
0044 ADDI R6 1
0048