Redditor Uncovers the Mystery Behind the DuQu Trojan

Although a large part of the DuQu trojan was confirmed to have been written in C++, Kaspersky could not reach a conclusion about a particular section of the code. This section deals with the communication with the command and control servers, and is contained inside the payload.dll file. This section of code is expected to have been written in an object-oriented language and Kaspersky Lab engineer, Igor Soumenkov, says

The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages we have checked.

This mysterious section of code receives instructions and returns stolen data. The Kaspersky Labs turned to enthusiastic programmers and asked for help on deciphering the doubtful section of code. Reddit, being the awesome community that it is, offered some timely help, nonetheless.

It is interesting to note that the mystery man why demystified DuQu is none other than Igor Skochinsky, who reverse-engineered the Kindle in early 2008. You can always visit his blog to refresh your memory. He goes by the handle igor_sk on Reddit and his exact comment on DuQu was,

I can say with some certainty that the code in the snippets comes from the MSVC compiler, since its register allocator tends to use esi first. “pop ecx” instead of “add esp, 4″ is another MSVC trait. Have a look at this presentation for a more formalized approach to compiler detection.

When confronted with the fact that Kaspersky had debunked the possibility of the code being compiled with MSVC compiler, he boldly claimed that the guys at Kaspersky were wrong. Redditors never fail to amaze me. This vital piece of information will be useful when dealing with the DuQu trojan and stopping its communications with the command center.

Duqu Trojan Command and Control Server Found in Mumbai, India

News of Duqu- a large-scale trojan attack surfaced over the Internet, last week. The impact of Duqu measures up to the likes of Stuxnet, as it attacks mission critical systems. Duqu was discovered by Symantec, which claimed that it had code similar to the Stuxnet trojan. This malware has raised concern in the world of security as it has been devised to raise mayhem in industrial fields, just like Stuxnet. The primary targets of Duqu are oil refineries, power plants and pipeline systems.
duqu-symantec-logo
Duqu seems to have a very similar scare-factor as Stuxnet because it attacks critical industries. Although, it is not related to Stuxnet in any way, the complicated nature of Duqu makes it look like a well-funded attack, probably by a government. The first piece of evidence in Duqu was found at Web Werks, which is a web-hosting company based in Mumbai. The Department of Information Technology in India received a tip from Symantec, and the Indian Computer Emergency Response Team  visited Web Werks offices. They seized two hard-drives with information of the trojan. Apparently, the hosting at Web Werks was used to run their command-and-control center. However, the complicated nature of the trojan makes it hard for a quick analysis.

The Duqu trojan as  explained by Symantec  is,

W32.Duqu is a worm that opens a back door and downloads more files on to the compromised computer. It also has rootkit functionality and may steal information from the compromised computer.  Initial analysis of this threat has shown that it is related closely to the W32.Stuxnet worm from 2010.

Although the affected system list does not include Windows 7, it includes all possible Windows versions before Windows 7 all the way to Windows 95.  However, you may be surprised to see that the Symnatec page on Duqu lists it as a low severity.

Web Werks has failed to track down the dubious customer who owned the h0sting account and the Indian Department of Information Technology is yet to unearth the mysteries contained in the seized drives. A second command-and-control center has been located in Belgium, recently.

In the meanwhile, CrySys laboratories in Hungary got hold of an installer for Duqu and claims that it exploits an unknown vulnerability in the Windows kernel. The attack spreads through a .doc (word document) file and is being distributed though social engineering. The safest way to protect against the worm is to follow email best practices and to steer clear of anything that looks fishy, especially dubious word documents.