The Duqu Trojan was partly written using an unknown programming language, according to researchers at Kaspersky.
"The big unsolved mystery of the Duqu Trojan relates to how the malicious program was communicating with its Command and Control (C&C) servers once it infected a victim's machine. The Duqu module that was responsible for interacting with the C&Cs is part of its Payload DLL," Kaspersky said. "After a comprehensive analysis of the Payload DLL, Kaspersky Lab researchers have discovered that a specific section inside the Payload DLL, which communicates exclusively with the C&Cs, was written in an unknown programming language. Kaspersky Lab researchers have named this unknown section the 'Duqu Framework.'"
Duqu is a sophisticated Trojan that was created by the same people who created the infamous Stuxnet worm. Its main purpose is to act as a backdoor into the system and facilitate the theft of private information. Duqu was first detected in September 2011, but according to Kaspersky Lab data, the first trace of Duqu-related malware dates back to August 2007. Kaspersky has recorded over a dozen incidents involving Duqu, with the vast majority of victims located in Iran. According to the security company, the main goal of the attacks was to steal information about industrial control systems used in a number of industries as well as gathering intelligence about the commercial relations of a whole range of Iranian organizations.
Unlike the rest of Duqu, the Duqu Framework is not written in C++ and it's not compiled with Microsoft's Visual C++ 2008. "It is possible that its authors used an in-house framework to generate intermediary C code, or they used another completely different programming language," Kaspersky said. However, Kaspersky Lab researchers have confirmed that the language is object-oriented and performs its own set of related activities that are suitable for network applications.
The language in the Duqu Framework is highly specialized. It enables the Payload DLL to operate independently of the other Duqu modules and connects it to its dedicated C&C through several paths including Windows HTTP, network sockets and proxy servers. It also allows the Payload DLL to process HTTP server requests from the C&C directly, stealthily transmits copies of stolen information from the infected machine to the C&C, and can even distribute additional malicious payload to other machines on the network, which creates a controlled and discreet form of spreading infections to other computers.
"Given the size of the Duqu project, it's possible that an entirely different team was responsible for creating the Duqu Framework as opposed to the team which created the drivers and wrote the system infection exploits," said Alexander Gostev, Chief Security Expert at Kaspersky Lab. "With the extremely high level of customization and exclusivity that the programming language was created with, it is also possible that it was made not only to prevent external parties from understanding the cyber-espionage operation and the interactions with the C&Cs, but also to keep it separate from other internal Duqu teams who were responsible for writing the additional parts of the malicious program."
According to Alexander Gostev, the creation of a dedicated programming language demonstrates just how highly skilled the developers working on the project are, and points to the significant financial and labor resources that have been mobilized to ensure the project is implemented.
Kaspersky Lab appeals to the programming community and asks anyone who recognizes the framework, toolkit or the programming language that can generate similar code constructions, to contact the company.