[ISN] Duqu espionage malware authored by "old-school" developers

From: InfoSec News <alerts_at_private>
Date: Tue, 20 Mar 2012 03:08:06 -0500 (CDT)
http://arstechnica.com/business/news/2012/03/duqu-espionage-malware-authored-by-old-school-developers.ars

By Dan Goodin
March 19, 2012
Ars Technica

A sophisticated piece of espionage malware with ties to the Stuxnet worm 
used to disrupt Iran's nuclear program was probably authored by an 
experienced team of "old school" professional developers, researchers 
from antivirus provider Kaspersky said.

They drew that conclusion after seeking the help of researchers and 
software developers around the world in identifying the programming 
language used to develop one part of the Duqu malware. Systems infected 
with Duqu used the mystery module to receive instructions from 
command-and-control servers. It didn't rely on C++ as most of the other 
Duqu modules did, and the Kaspersky researchers were also able to rule 
out the use of Objective C, Java, Python, Ada, Lua and several other 
languages.

In the weeks following the request for help, the Kaspersky researchers 
received more than 200 blog comments and more than 60 e-mails that 
helped fill in the blanks. Among them were comments included in this 
post on Reddit by someone identified as Igor Skochinsky who said the 
mystery code looked similar to that derived from object-oriented 
frameworks for the C programming language. Other readers soon concluded 
it was generated from a custom object-oriented C dialect that is usually 
referred to as OO C.

The most likely reason for the choice was the Duqu developers' mistrust 
of C++ compilers, which in older days often suffered from 
memory-allocation problems that caused indirect execution. The malware 
authors also seemed to be influenced by the desire for their code to 
work with multiple compilers, including Watcom C++ rather than just the 
one provided in Microsoft's Visual Studio package.

[...]


______________________________________________________________________________
CISSP and CEH training with Expanding Security is the fastest, easiest way
to grock the relevant data you need now.   A free class invite is in every
PainPill.  Sign up for the free weekly PainPill .  It's that easy.
http://www.expandingsecurity.com/PainPill
Received on Tue Mar 20 2012 - 01:08:06 PDT

This archive was generated by hypermail 2.2.0 : Tue Mar 20 2012 - 01:13:51 PDT