Share

Related Links

Top 5 Stories

News

Duqu: a government intelligence agency built cyberweapon?

19 March 2012

Last week Kaspersky Lab announced that it had discovered an unrecognized programming language within the Duqu worm code. It asked the research community for help in diagnosis; and the research community responded.

The truth is less dramatic than some might hope; but intriguing nevertheless. The code is not some purpose-designed new language with its own compiler that might prove the elephant in the room. Where Duqu is concerned, the elephant is this: is Duqu the first example of a government intelligence agency built cyberweapon? Many suspect it is; nobody knows for certain. (We should include Stuxnet in any discussion since Kaspersky has also demonstrated beyond any reasonable doubt that Duqu and Stuxnet have come from the same team.)

The language ‘found’ by Kaspersky inside Duqu is just an old language – object oriented C, or OOC. But the discovery adds further fuel to the unproven conjecture. Kaspersky believes there could be two reasons to use OOC rather than the more popular C++. Firstly, ‘old-school’ programmers believe it to be a more reliable framework with less opportunity for unexpected behavior than some more recent languages; and secondly, it offers wide portability without any of the platform limitations that arise with C++.

Kaspersky Lab also suggests that some of the code may have been reused from other projects. “The code could have been reused from previous cyber-operations and customized to integrate into the Duqu Trojan,” said Igor Soumenkov, Kaspersky Lab malware expert. “However, one thing is certain,” he adds: “these techniques are normally seen by elite software developers and almost never in today’s general malware.”

What emerges from all of these different elements is the picture of a well-organised, well-resourced, disciplined development team of the old-school: elite, not leet. But is it military? “We still don’t know,” said Vitaly Kamluk, chief malware analyst at Kaspersky. For whatever reason, there is virtually nothing within either Stuxnet or Duqu that can point to any particular geographic location.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×