Duqu is a sophisticated Trojan that was created by the same people who created the infamous Stuxnet worm. Its main purpose is to act as a backdoor into the system and facilitate the theft of private information. Duqu was first detected in September 2011, but according to Kaspersky Lab data, the first trace of Duqu-related malware dates back to August 2007. The company’s experts have recorded over a dozen incidents involving Duqu, with the vast majority of victims located in Iran. An analysis of the victim organisations’ activities and the nature of the information targeted by the Duqu authors clearly suggest the main goal of the attacks was to steal information about industrial control systems used in a number of industries as well as gathering intelligence about the commercial relations of a whole range of Iranian organisations.
The big unsolved mystery of the Duqu Trojan relates to how the malicious program was communicating with its Command and Control (C&C) servers once it infected a victim’s machine. The Duqu module that was responsible for interacting with the C&Cs is part of its Payload DLL. After a comprehensive analysis of the Payload DLL, Kaspersky Lab researchers have discovered that a specific section inside the Payload DLL, which communicates exclusively with the C&Cs, was written in an unknown programming language. Kaspersky Lab researchers have named this unknown section the “Duqu Framework.”
Unlike the rest of Duqu, the Duqu Framework is not written in C++ and it’s not compiled with Microsoft’s Visual C++ 2008. It is possible that its authors used an in-house framework to generate intermediary C code, or they used another completely different programming language. However, Kaspersky Lab researchers have confirmed that the language is object-oriented and performs its own set of related activities that are suitable for network applications.
The language in the Duqu Framework is highly specialised. It enables the Payload DLL to operate independently of the other Duqu modules and connects it to its dedicated C&C through several paths including Windows HTTP, network sockets and proxy servers. It also allows the Payload DLL to process HTTP server requests from the C&C directly, stealthily transmits copies of stolen information from the infected machine to the C&C, and can even distribute additional malicious payload to other machines on the network, which creates a controlled and discreet form of spreading infections to other computers. A full description of the analysis and its related data can be found at Securelist, Kaspersky Lab’s research site.
“Given the size of the Duqu project, it’s possible that an entirely different team was responsible for creating the Duqu Framework as opposed to the team which created the drivers and wrote the system infection exploits,” said Alexander Gostev, Chief Security Expert at Kaspersky Lab. “With the extremely high level of customisation and exclusivity that the programming language was created with, it is also possible that it was made not only to prevent external parties from understanding the cyber-espionage operation and the interactions with the C&Cs, but also to keep it separate from other internal Duqu teams who were responsible for writing the additional parts of the malicious program.”
According to Alexander Gostev, the creation of a dedicated programming language demonstrates just how highly skilled the developers working on the project are, and points to the significant financial and labour resources that have been mobilised to ensure the project is implemented.
Kaspersky Lab would like to make an appeal to the programming community and ask anyone who recognises the framework, toolkit or the programming language that can generate similar code constructions, to please contact our experts.
We are confident that with your help we can solve this deep mystery in the Duqu saga.
The full version of the Duqu Framework analysis by Igor Soumenkov and Costin Raiu can be found on Securelist.