Kaspersky Lab Appeals To Global Programmers To Help Fight Duqu

Press Release:

Kaspersky Lab, a leading secure content and threat management solutions developer, appeals to the programming community to solve the deep mystery in the Duqu saga that sparks theories that it was launched as a way to conduct high-level cyber-espionage and sabotage.

Duqu is a sophisticated Trojan that was created by the same people who created the infamous Stuxnet worm. Its main purpose is to act as a backdoor into the system and facilitate the theft of private information.

In an effort to find out Duqu’s intentions and where it would be going, security experts from Kaspersky Lab ask the vast programming community worldwide to share in the analysis of Duqu.

Kaspersky Lab Chief Security Officer Alexander Gostev said that the help of the programming community would help identify how Duqu was made and to track down its creators. Doing such would prevent attacks that would use it as a weapon.

The big unsolved mystery of the Duqu Trojan relates to how the malicious program was communicating with its Command and Control (C&C) servers once it infected a victim’s machine. The Duqu module that was responsible for interacting with the C&Cs is part of its Payload DLL.

After a comprehensive analysis of the Payload DLL, Kaspersky Lab researchers have discovered that a specific section inside the Payload DLL, which communicates exclusively with the C&Cs, was written in an unknown programming language. Kaspersky Lab researchers have named this unknown section the “Duqu Framework.”

Gostev reveals that Duqu has been found to be using either a totally new or an unknown programming language, unlike most malware that were developed by traditional programming languages like C++ or Visual C++.

Having such a different programming language already points out to the type of sophistication in creating the Duqu malware, which in turn reveals the high-level programming skill sets used by its creators.

According to Alexander Gostev, the creation of a dedicated programming language demonstrates just how highly skilled the developers working on the project are, and points to the significant financial and labor resources that have been mobilized to ensure the project is implemented.

“Given the size of the Duqu project, it’s possible that an entirely different team was responsible for creating the Duqu Framework. With the extremely high level of customization and exclusivity that the programming language was created with, it is also possible that it was made not only to prevent external parties from understanding the cyber-espionage operation and the interactions with the C&Cs, but also to keep it separate from other internal Duqu teams who were responsible for writing the additional parts of the malicious program,” Gostev says.

So far, the majority of Duqu infections have been found in Iran. However, it does not stop its creators to target other newly-industrialized countries, especially those in Asia where many industries are already adopting technology in their business, since the country has already become a major hub for IT outsourcing services.

The Philippines, for one is already a major hub for IT outsourcing services. The spread of Duqu in the Philippines could have dire effects on its multibillion-dollar outsourcing business.