Duqu: a government intelligence agency built cyberweapon?

The truth is less dramatic than some might hope; but intriguing nevertheless. The code is not some purpose-designed new language with its own compiler that might prove the elephant in the room. Where Duqu is concerned, the elephant is this: is Duqu the first example of a government intelligence agency built cyberweapon? Many suspect it is; nobody knows for certain. (We should include Stuxnet in any discussion since Kaspersky has also demonstrated beyond any reasonable doubt that Duqu and Stuxnet have come from the same team.)

The language ‘found’ by Kaspersky inside Duqu is just an old language – object oriented C, or OOC. But the discovery adds further fuel to the unproven conjecture. Kaspersky believes there could be two reasons to use OOC rather than the more popular C++. Firstly, ‘old-school’ programmers believe it to be a more reliable framework with less opportunity for unexpected behavior than some more recent languages; and secondly, it offers wide portability without any of the platform limitations that arise with C++.

Kaspersky Lab also suggests that some of the code may have been reused from other projects. “The code could have been reused from previous cyber-operations and customized to integrate into the Duqu Trojan,” said Igor Soumenkov, Kaspersky Lab malware expert. “However, one thing is certain,” he adds: “these techniques are normally seen by elite software developers and almost never in today’s general malware.”

What emerges from all of these different elements is the picture of a well-organised, well-resourced, disciplined development team of the old-school: elite, not leet. But is it military? “We still don’t know,” said Vitaly Kamluk, chief malware analyst at Kaspersky. For whatever reason, there is virtually nothing within either Stuxnet or Duqu that can point to any particular geographic location.

What’s hot on Infosecurity Magazine?