Académique Documents
Professionnel Documents
Culture Documents
While analyzing the components of Duqu [ INCLUDE LINK TO OUR DUQU PAGE WITH ALL THE PREVIOUS
COVERAGE ], we discovered an interesting anomaly in the main component that is responsible for its
business logics, the Payload DLL. We would like to share our findings and ask for help identifying the
code.
Code layout
At first glance, the Payload DLL looks like a regular Windows PE DLL file compiled with Microsoft Visual
Studio 2008 (linker version 9.0). The entry point code is absolutely standard, and there is one function
exported by ordinal number 1 that also looks like MSVC++. This function is called from the PNF DLL and
it is actually the main function that implements all the logics of contacting C&C servers, receiving
additional payload modules and executing them. The most interesting is how this logic was programmed
and what tools were used.
The code section of the Payload DLL is common for a binary that was made from several pieces of code.
It consists of slices of code that may have been initially compiled in separate object files before they
were linked in a single DLL. Most of them can be found in any C++ program, like the Standard Template
Library (STL) functions, run-time library functions and user-written code, except the biggest slice that
contains most of C&C interaction code.
The Framework
Features
The code that implements the Duqu Framework has several distinctive properties:
-
Objects
All objects are instances of some class, we identified 60 classes. Each object is constructed with a
constructor function that allocates memory, fills in the function table and initializes members.
Layout of the linked list object. First 10 fields are pointers to member functions.
Objects are destroyed by corresponding destructor functions. These functions usually destroy all
objects referenced by member fields and free any memory used.
Member functions can be referenced by the objects function table (like virtual functions in C++) or
they can be called directly. In most object-oriented languages, member functions receive the this
parameter that references the instance of the object, and there is a calling convention that defines the
location of the parameter either in a register, or in stack. This is not the case for the Duqu Framework
classes they can receive this parameter in any register or in stack.
This event-driven model resembles Objective C and its message passing features, but the code does not
have any direct references to the language, neither does it look like compiled with known Objective C
compilers.
case Connected:
case ReadData:
}
}
Conclusions
The Duqu Framework appears to have been written in an unknown programming language.
Unlike the rest of the Duqu body, it's not C++ and it's not compiled with Microsoft's Visual C++
2008.
The highly event driven architecture points to code which was designed to be used in pretty
much any kind of conditions, including asynchronous commutations.
Given the size of the Duqu project, it is possible that another team was responsible for the
framework than the team which created the drivers and wrote the system infection and
exploits.
The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada,
Lua and many other languages we have checked.
Compared to Stuxnet (entirely written in MSVC++), this is one of the defining particularities of
the Duqu framework.