Duqu Mystery Code IdentifiedCategory: Bugs / Virus
Posted: March 20, 2012 08:55AM
Not very long ago the security researchers at Kaspersky Labs found some code in the Duqu virus they were not familiar with. To solve the mystery they crowd-sourced it by posting the code on their Secure List blog and the Internet succeeded.
Among the suggested languages was Object Oriented C, or OO C, and that a version of Microsoft Visual compiler (MSVC) was used. The use of MSVC was spotted because of certain commands in the code that are not typical of other compilers. This got the Kaspersky team working with the software and eventually they found that MSVC 2008 with the minimize size (/O1) and expand only __inline (/Ob1) options produced similar code to Duqu.
This proves that some form of OO C was used, but oddly the closest match was not published until after Duqu was released. This finding also sheds some light on the programmers of Duqu. How computer code works has been changing ever since it was first developed, and OO C uses an older custom that code like C++ does automatically. With many modern day languages, if not all, memory allocation is done automatically while in OO C this would have to be done manually. Some programmers prefer OO C for this reason, as they do not trust all of the features in newer languages. Also there was a time that different C++ compilers would give different results, while OO C was a standard with all systems.
Regardless of the reasons behind the use of OO C, this shows a great deal of skill and experience in the making of Duqu. As described in the Kaspersky blog post, "Duqu, just like Stuxnet, is a "one of a kind" piece of malware which stands out like a gem from the large mass of “dumb” malicious program we normally see."