Part of the Duqu Trojan was written in an unknown programming language.
According to research by Kaspersky Lab, this solves the mystery of how it communicated with its command and control (C&C) servers after infection. It claimed that the Duqu module that was responsible for interacting with the C&C servers is part of its Payload DLL, and analysis of that discovered that a specific section was written in an unknown language.
Kaspersky Lab researchers named this unknown section the "Duqu Framework"; they said this demonstrates just how highly skilled the developers are and points to the significant financial resources involved.
It said that unlike the rest of Duqu, the Duqu Framework is not written in C++ and is not compiled with Microsoft's Visual C++ 2008. Kaspersky Lab researchers have confirmed that the language is object-oriented and performs its own set of related activities that are suitable for network applications.
Alexander Gostev, chief security expert at Kaspersky Lab, said: “Given the size of the Duqu project, it's possible that an entirely different team was responsible for creating the Duqu Framework as opposed to the team that created the drivers and wrote the system-infection exploits.
“With the extremely high level of customisation and exclusivity that the programming language was created with, it is also possible that it was made not only to prevent external parties from understanding the cyber-espionage operation and the interactions with the C&Cs, but also to keep it separate from other internal Duqu teams who were responsible for writing the additional parts of the malicious program.”
Kaspersky Lab has appealed to the programming community and asks anyone who recognises the framework, toolkit or the programming language and can generate similar code constructions to contact its researchers.