Kaspersky Lab has revealed that the Duqu malware used the source code object oriented C (OO C) which specially written by a professional.
It claimed that a previously unknown code block, located inside a section of the malicious program's Payload DLL that was responsible for interacting with the command and control (C&C) servers after infection, consists of ‘C' source code compiled with Microsoft Visual Studio 2008 and special options for optimising code size and in-line expansion.
It said that the code was also written with a customised extension for combining object-oriented programming with C, generally referred to as ‘OO C'.
Having called for assistance to the security industry, Vitaly Kamluk, chief malware expert at Kaspersky Lab said that the use of this code made it more portable, efficient and lightweight and the analysis of the code would help it determine who the attacker(s) was and learn habits to make a better guess of who was behind it.
“It is common for software developers to use simple tools to create code that is easier and faster and makes life simpler. With Duqu it is the opposite, professional developers create their own framework so a software architect introduced this module.”
He also said that this code/framework was used for the first time in this instance, or it would have been recognised. “OO C is a common development approach for Mac OS, this is a reimplementation for Mac OS but for Windows, but there is some malware for Mac OS which is implemented in OO C,” he said.
Kamluk said that was ‘civil code', developed by a normal cybercriminal that looks like the normal style for coding enterprise style applications, but behind it was likely to be large organisation who can afford special skills in their development team.
He suspected that it was built by someone with special skills and by a development team of 20-30 people and that it may consist of different organisations. He also said that there were no clear geographical specifics within its analysis.
“Compared to traditional malware, it may take at least three-to-five times longer to create it. Traditional malware can be created by a student, this was done by a professional,” he said.
