Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43445
  • Total Topics: 16537
  • Online today: 2962
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 0
Guests: 2956
Total: 2956









Author Topic: Kaspersky Lab discover: "Duqu Trojan" written in an unknown programming language  (Read 3720 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


Security researchers are appealing for help after discovering that part of the Duqu Trojan was written in an unknown programming language.

Duqu is a sophisticated Trojan reckoned to have been created by the same group behind the infamous Stuxnet worm. While the finely tuned Stuxnet worm was designed to home in on specific industrial control systems – namely systems controlling high-speed centrifuges used by Iran's controversial nuclear enrichment plants – Duqu was created to fulfil the slightly different role of a backdoor where intruders could slip into SCADA-based systems and nick confidential information.

Securo-boffins at Kaspersky Lab have discovered during their research that Duqu uses the mystery code to communicate with its Command and Control (C&C) servers once it infects a compromised machine. Researchers at the Russian anti-virus firm have named this unknown section the "Duqu Framework".

Unlike the rest of Duqu, the Duqu Framework is not written in C++ and it's not compiled with Microsoft's Visual C++ 2008. The Kaspersky research team has gone some way in unravelling the mystery language used by the Duqu Framework, but still needs addition help. So far, the researchers have worked out what the mystery code does, but are still mostly in the dark about the grammar and syntax of the programming language, they said.

Kaspersky Lab researchers explained:
Quote
    "It is possible that its authors used an in-house framework to generate intermediary C code, or they used another completely different programming language. However, Kaspersky Lab researchers have confirmed that the language is object-oriented and performs its own set of related activities that are suitable for network applications.

    The language in the Duqu Framework is highly specialised. It enables the Payload DLL to operate independently of the other Duqu modules and connects it to its dedicated C&C through several paths, including Windows HTTP, network sockets and proxy servers. It also allows the Payload DLL to process HTTP server requests from the C&C directly, stealthily transmit copies of stolen information from the infected machine to the C&C and even distribute additional malicious payload to other machines on the network, creating a controlled and discreet form of spreading infections to other computers."

Having gone as probably as far as they can, Kaspersky Lab is appealing to the programming community for support in analysing the mystery language used to build the malware. It wants to hear from coders who recognise either a framework, toolkit or a programming language that can generate similar code.

The creation of a dedicated programming language to construct the communications module shows how skilled the developers were, as well as providing evidence that significant financial resources were ploughed into developing the Duqu Trojan project.

"Given the size of the Duqu project, it’s possible that an entirely different team was responsible for creating the Duqu Framework as opposed to the team that created the drivers and wrote the system infection exploits," explained Alexander Gostev, chief security expert at Kaspersky Lab. "With the extremely high level of customisation and exclusivity that the programming language was created with, it is also possible that it was made not only to prevent external parties from understanding the cyber-espionage operation and the interactions with the C&Cs, but also to keep it separate from other internal Duqu teams who were responsible for writing the additional parts of the malicious program."

Duqu was first detected in September 2011, but Kaspersky Lab reckons the first trace of Duqu-related malware dates all the way back to August 2007. The Russian security firm has logged more than a dozen incidents of Duqu infection, with the vast majority of victims located in Iran.

More details about the Duqu Trojan and its mystery communications modules can be found on Securelist, Kaspersky Lab’s research site, here: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework
Researchers at Kaspersky, which has carried out a great deal of top-notch analysis work on the topic, were the first to find the "smoking code" linking Stuxnet and Duqu: http://scforum.info/index.php/topic,7144.0.html

(ElReg)

Samker's Computer Forum - SCforum.info


Pez

  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Intresting !
Lets see in the future if more intrusion is written in unkown program languages. The the AntiVirus companys have a new problem to solv to find this virus and Troyans.
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Intresting !
Lets see in the future if more intrusion is written in unkown program languages. The the AntiVirus companys have a new problem to solv to find this virus and Troyans.


hmmm...  :-\

...maybe this is "evidence" that some Country (Countries) develop some "strategic weapon" ?! 8)


"Related" stories:

- "Stuxnet worm is the 'work of a national government agency'": http://www.guardian.co.uk/technology/2010/sep/24/stuxnet-worm-national-agency

- "Israeli Test on Worm Called Crucial in Iran Nuclear Delay": http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?pagewanted=all

- "Stuxnet worm 'targeted high-value Iranian assets'": http://www.bbc.co.uk/news/technology-11388018



devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info
After compilation... How much difference does the original programming language make in code execution? Curious...

For the rest: impressed by the Bad Guys :*

Peace!

Devvie



~~~ notemail@facebook.com ~~~

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare
——
All spelling mistakes are my own and may only be distributed under the GNU General Public License! – (© 95-1 by Coredump; 2-011 by DevNullius)
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Samker's Computer Forum - SCforum.info


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023