F Sharp, Iron Python, CPLEX LIB, High-Level Assembly, LISP, Erlang are just a few of the names of programming languages in which Duqu’s framework could be written. It’s uncertain yet which one it is, but one thing is clear, the malware’s framework looks different from anything else previously analyzed by Kaspersky experts.
The researchers determined that Duqu’s Payload library (DLL) looks like a common Windows PE DLL compiled in Microsoft’s Visual Studio 2008.
“The entry point code is absolutely standard, and there is one function exported by ordinal number 1 that also looks like MSVC++,” Kaspersky Lab Expert Igor Soumenkov said.
“This function is called from the PNF DLL and it is actually the 'main' function that implements all the logics of contacting C&C servers, receiving additional payload modules and executing them.”
However, the way this logic was programmed and the tools that were utilized are mindboggling. The only certain thing is that it's an object-oriented programming language.
Most of the code sections that compose the Payload DLL seem to have been compiled in C++, but the command and control (C&C) interaction code, which represents the largest part, is different.
In the code of the Duqu Framework, as experts call it, everything is wrapped into objects and there is no distinction between code written by the programmer and the utility classes. Also, native Windows APi is used instead of references to run-time library functions.
The objects, each an instance of one of the 60 classes, are constructed using the “constructor” functions and destroyed using “destructor” functions, but the layout of each object depends on its class.
“Some classes appear to have binary compatible function tables but there is no indication that they have any common parent classes (like in other OO languages). Furthermore, the location of the function table is not fixed: some classes have it at offset 0 of the instance, but some does not,” Soumenkov explained.
When compared with the framework of its predecessor, Stuxnet, Duqu is different and Kaspersky even hints that a separate team may be responsible for creating this part of the project.
Those who want to take a better look at the code and maybe even help Kaspersky identify the programming language the Duqu Framework was written in can visit Securelist.