Duqu Trojan code confounds researchers

By , ITworld |  Security, Duku Trojan, iran

Similar to Stuxnet, the Duqu Trojan attacks industrial systems. But researches can't get a handle on the language used.

Kaspersky researchers have been working to crack the Duqu Trojan for months, and have now released code samples asking the programming community for help. They know some of the program was written in C++, but much was written in an unidentified language. And the closer they look, the more it seems the Duqu Trojan was meant to infect industrial systems, as was Stuxnet, but steal information rather than break nuclear centrifuges like Stuxnet.

Programmers, never short of opinions, have suggested Assembler, old compiler code from earlier C++ compilers, or some custom libraries died into the compiler. Evidence suggests a large team of programmers wrote the code, much like Stuxnet. Just like Stuxnet, the Duku Trojan is aimed at Iran's nuclear facilities, but was first sighted years earlier than Stuxnet, in 2007.

Code conversations

It's Assembly Language, I'd recognize it anywhere. Looks like it is using an inline assembler, like the old Borland C, Delphi or similar.
MIBovrd on zdnet.com

The code your referring to .. the unknown c++ looks like the older IBM compilers found in OS400 SYS38 and the oldest sys36.
As400tech on securelist.com

The calling conventions are non-conventional with parameters being assigned to different registers. Almost like hand coded assembly with object based programming techniques.
Bruizer on zdnet.com

Conspiracy theories

Almost have to think that Israel is behind this if it is that advanced (i.e. "State" and if it is likely to be disruptive technology aimed at Iran.
jkohut on zdnet.com

The likely suspects fitting that set of criteria are IBM, Microsoft, SAS and SAIC. All the others (remnant AT T, HP, remnant SGI... who am I forgetting?) incorporate a considerable amount of fairly recognizable shared compiler code in their offerings.
SCooke on securelist.com

Re: Any of US have a clue? Yep.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question