In analyzing Duqu, Kaspersky uncovered an “interesting anomaly” in its main component that is responsible for its business logics, the Payload DLL, explained Soumenkov in a blog. “We would like to share our findings and ask for help identifying the code”, he added.
“At first glance, the Payload DLL looks like a regular Windows PE DLL file compiled with Microsoft Visual Studio 2008 (linker version 9.0)”, he explained. The Payload DLL is the main function that implements the logics of contacting the command and control servers, receiving additional payloads and executing them, he added.
A section of the Payload DLL “was not compiled from C++ sources” and “contains no reference to any standard or user-written C++ functions but it is definitely object-oriented.” Kaspersky calls this section the Duqu Framework.
Soumenkov then provided extensive details about the Duqu Framework and concluded that the framework was not written in any known programming language.
“We would like to make an appeal to the programming community and ask anyone who recognizes the framework, toolkit or the programming language that can generate similar code constructions, to contact us or drop us a comment in this blogpost. We are confident that with your help we can solve this deep mystery in the Duqu story”, Soumenkov wrote.