Ukendt programmeringssprog brugt i Duqu-trojaner

11. mar. 2012 17:24Forskere ved sikkerhedsfirmaet Kaspersky Labs har efter grundig gennemgang af koden i Duqu-trojaneren, som er skrevet i C++, opdaget, at en del af koden er programmeret i et for dem ukendt programmeringssprog. Koden er fundet i den payload DLL, som står for kommunikationen med trojanerens command & control-servere og modtagelse af yderligere moduler og eksekveringen af disse.

The language in the Duqu Framework is highly specialised. It enables the Payload DLL to operate independently of the other Duqu modules and connects it to its dedicated C&C through several paths, including Windows HTTP, network sockets and proxy servers. It also allows the Payload DLL to process HTTP server requests from the C&C directly, stealthily transmit copies of stolen information from the infected machine to the C&C and even distribute additional malicious payload to other machines on the network, creating a controlled and discreet form of spreading infections to other computers.Kaspersky Labs

Nu beder Moskva-firmaet programmører og kodere om hjælp, og vil gerne høre fra alle, hvis man kan genkende koden, og ved hvilket framework eller programmeringssprog, der er blevet brugt.

Kaspersky Labs har offentliggjort en detaljeret gennemgang af Duqu-frameworket på deres forskningsside Securelist.

#1: Beetleburst

11. mar. 2012 22:40

Taleban har lavet den!
Vi kvitterer lige med en ekstra bombe, med hilsnen: "Tak for sidst!"

#2: T_A

12. mar. 2012 10:53

Det er da Aliens der har skrevet noget mystisk kode.

#3: bobske2

13. mar. 2012 00:00

Ligner at det er compiled i msvc, men frameworket er nok deres eget

#4: Mamad (moveax1ret)

13. mar. 2012 08:25

Ligner at det er compiled i msvc, men frameworket er nok deres egetbobske2 (#3)

Hvad giver dig det indtryk?

Jeg kan ikke se noget der tyder på det.........

rigtige mænd går med sløvpaprishatte

#5: tormok

19. mar. 2012 20:32

Igor Soumenkov fra Kaspersky har skrevet en ny blogpost om det "ukendte" programmeringssprog.

The mystery of Duqu Framework solved

In my previous blogpost about the Duqu Framework, I described one of the biggest remaining mysteries about Duqu – the oddities of the C&C communications module which appears to have been written in a different language than the rest of the Duqu code. As technical experts, we found this question very interesting and puzzling and we wanted to share it with the community.

...

So, what does that mean? In short, there are two very probable answers to our initial question:

1. The code was written using a custom OO C framework, based on macros or custom preprocessor directives. This was suggested by your comments, because it is the most common way to combine object-oriented programming with C.

2. All the code was written in OO C manually, without any extensions to the language. We can’t deny this possibility completely because, technically, it is near impossible to distinguish code written with macro directives from manually copy-pasted code.

...

Conclusions

- The Duqu Framework consists of “C” code compiled with MSVC 2008 using the special options “/O1” and “/Ob1”
- The code was most likely written with a custom extension to C, generally called “OO C”
- The event-driven architecture was developed as a part of the Duqu Framework or its OO C extension
- The C&C code could have been reused from an already existing software project and integrated into the Duqu trojan

All the conclusions above indicate a rather professional team of developers, which appear to be reusing older code written by top “old school” developers. Such techniques are normally seen in professional software and almost never in today’s malware. Once again, these indicate that Duqu, just like Stuxnet, is a “one of a kind” piece of malware which stands out like a gem from the large mass of “dumb” malicious program we normally see.Kilde

Opret dig som bruger i dag

Det er gratis, og du binder dig ikke til noget.

Når du er oprettet som bruger, får du adgang til en lang række af sidens andre muligheder, såsom at udforme siden efter eget ønske og deltage i diskussionerne.

Opret bruger