IP Source

Thursday 8 March 2012

DuQu - Mystery Code

VANCOUVER, British Columbia — DuQu, the malicious code that followed in the wake of the infamous Stuxnet code, has been analyzed nearly as much as its predecessor. But one part of the code remains a mystery, and researchers are asking programmers for help in solving it.

The mystery concerns an essential component of the malware that communicates with command-and-control servers and has the ability to download additional payload modules and execute them on infected machines.

Researchers at Russia-based antivirus firm Kaspersky Lab have been unable to determine the language in which the communication module is written and plan to discuss the mystery code Wednesday at the CanSecWest security conference in Vancouver in the hope of finding someone who can identify it.

They’ve also published a blog post providing more information about the language.

While other parts of DuQu are written in the C++ programming language and are compiled with Microsoft’s Visual C++ 2008, this part is not, according to Alexander Gostev, chief security expert at Kaspersky Lab. Gostev and his team have also determined that it’s not Objective C, Java, Python, Ada, Lua or many other languages they know.

While it’s possible the language was created exclusively by DuQu’s authors for their project and has never been used elsewhere, it’s also possible it’s a language that is commonly used, but only by a specific industry or class of programmers.

Kaspersky is hoping that someone in the programming community will recognize it and come forward to identify it. Identification of the language could help analysts build a profile of DuQu’s authors, particularly if they can tie the language to a group of people known to use this specialized programming language or even to people who were behind its development.

DuQu was discovered last year by Hungarian researchers at the Laboratory of Cryptography and System Security at Budapest University of Technology and Economics.

The researchers examined the code on behalf of an unidentified company that was infected by the malware. The Hungarian researchers discovered that the code was remarkably similar to Stuxnet and concluded that it had been written by the same team. But although Stuxnet was designed to sabotage centrifuges used in Iran’s uranium enrichment program, DuQu’s purpose was espionage. Researchers believe it’s designed to gather intelligence about targeted systems and networks in order for its authors to then design other malware, such as Stuxnet, to sabotage those systems.

Kaspersky researchers have been analyzing the code and its command-and-control structure on and off for months. In that time, they’ve been unable to determine very much about the language in which DuQu’s communication module is written, except that the language is object-oriented and is highly specialized.

The module is an important part of DuQu’s payload — which is the part of DuQu that performs malicious functions once it’s on an infected machine. The module allows DuQu’s DLL file to operate completely independent of other DuQu modules. It also takes data stolen from infected machines and transmits it to command-and-control servers and has the ability to distribute additional malicious payloads to other machines on a network, in order to spread the infection.

It’s unclear why this part of the malware was written in a different language, but Gostev says it could be that it was simply written by a different team than the team that wrote the rest of the code. This team may have used this language simply because it was more familiar with it, or it had special properties for the tasks the team wanted to accomplish.

But, Gostev says, it could also be that DuQu’s developers purposely used a customized language for this part of the malware in order to prevent researchers and anyone else who might discover the code from fully analyzing it and understanding its interactions with command-and-control servers.

No comments:

Post a Comment

Send a plain text, no attachments, email from any client to comment. Only registered users or OpenID have this access.