On March 7, Kaspersky Lab experts revealed that after analyzing Duqu’s framework they were unable to precisely determine what programming language had been used to develop it. Now they think they have the answer and they say that it’s most likely a custom object oriented C called “OO C”.
Kaspersky security researchers asked the community for help in finding out the name of the programming language and the most popular suggestions were variants of LISP, Forth, Erlang, Google Go, Delphi, OO C, and old compilers for C++.
Based on the community’s responses, they concluded that the input code was pure C and it was compiled with Microsoft Visual Studio Compiler 2008 with the options /O1, to minimize its size, and /Ob1, which ensures that it expands only inline.
There are two main possibilities. The code was either written using a custom OO C framework, or it was entirely written in OO C manually, without any language extensions.
“No matter which of these two variants is true, the implications are impressive. The Payload DLL contains 95 Kbytes of event-driven code written with OO C, a language that has no automatic memory management or safe pointers,” Kaspersky’s Igor Soumenkov wrote.
“This kind of programming is more commonly found in complex ‘civil’ software projects, rather than contemporary malware. Additionally, the whole event-driven architecture must have been developed as a part of the Duqu code or its OOC extension.”
It’s believed that the developers are old school that don’t trust C++ and that’s probably why they relied on C. Another reason for using OO C is because back in the good old days it was more portable than C++.
The bottom line is that Duqu was created by a professional team that wrote the framework based on old code. Since this type of code is not used in newly developed malware, it makes Duqu one-of-a-kind.