Monday, March 19, 2012

DuQu Mystery Language Solved With the Help of Crowdsourcing

Via (Threat Level) -

A group of researchers who recently asked the public for help in figuring out a mysterious language used in the DuQu virus have solved the puzzle, thanks to crowdsourcing help from programmers who wrote in to offer suggestions and clues.

The language, which DuQu used to communicate with command-and-control servers, turns out to be a special type of C code compiled with the Microsoft Visual Studio Compiler 2008.

Researchers at Kaspersky Lab, who put out the call for help two weeks ago after failing to figure out the language on their own, said they received more than 200 comments to a blog post they wrote seeking help, and more than 60 direct emails from programmers and others who made suggestions.


Most commenters who wrote in response to Kaspersky’s plea thought the code was a variant of LISP, but the reader who led them in the right direction was a commenter who identified himself as Igor Skochinsky and wrote in a thread posted to that he was certain the code was generated with the Microsoft Visual Studio Compiler and offered some cogent reasons why he believed this. Two other people who sent Kaspersky direct emails made crucial contributions when they suggested that the code appeared to be generated from a custom object-oriented C dialect — referred to as OO C — using special extensions.

This led the researchers to test various combinations of compiler and source codes over a few days until they found the right combination that produced binary that matched the style in DuQu.

The magic combination was C code compiled with Microsoft Visual Studio Compiler 2008 using options 01 and Ob1 in the compiler to keep the code small.

“Visual C can optimize for speed and it can optimize for size, or it can do some kind of balance between the two,” says Costin Raiu, director of Kaspersky’s Global Research and Analysis Team. “But they wanted obviously the smallest possible size of code” to get it onto victim machines via an exploit.


It suggests that whoever coded this part of DuQu was conservative, precise, and wanted 100 percent assurance that the code would work the way they wanted it to work.

But there was one other reason DuQu’s old-school programmers might have preferred C over C++ – its versatility. When C++ was initially developed, it was not standardized and wouldn’t compile in every compiler. C was more flexible. DuQu was delivered to Windows machines using a Microsoft Word zero-day exploit. But Raiu thinks DuQu’s programmers might have chosen C because they wanted to make sure that their code could be compiled with any compiler on any platform, suggesting they were thinking ahead to other ways in which their code might be used.

“Obviously when you create such a complex espionage tool, you take into account that maybe some day you will run it on servers, maybe you will want to run it on mobile phones or God knows what other devices, so you just want to make sure your code will work everywhere,” he says.

No comments:

Post a Comment