Kaspersky Lab has revealed that the Duqu malware used the source code object-oriented C (OO C), which was specially written by a professional.
It claimed that a previously unknown code block, located inside a section of the malicious program's Payload DLL that was responsible for interacting with the command and control (C&C) servers after infection, consists of ‘C' source code compiled with Microsoft Visual Studio 2008 and special options for optimising code size and in-line expansion.
It said that the code was also written with a customised extension for combining object-oriented programming with C, generally referred to as ‘OO C'.
Having called for assistance from the security industry, Vitaly Kamluk, chief malware expert at Kaspersky Lab, said the use of this code made it more portable, efficient and lightweight, and analysis would help it determine who the attacker is.
He said: “It is common for software developers to use simple tools to create code that is easier and faster and makes life simpler. With Duqu it is the opposite, professional developers create their own framework so a software architect introduced this module.”
He also said that this code/framework was used for the first time in this instance, or it would have been recognised. “OO C is a common development approach for Mac OS; this is a reimplementation for Mac OS but for Windows, but there is some malware for Mac OS which is implemented in OO C,” he said.
Kamluk said the perpetrator was likely to be a large organisation that can afford special skills in its development team. He suspected that it was built by a team of 20 to 30 people that may comprise different organisations. He also said there were no clear geographical specifics within its analysis.
“Compared to traditional malware, it may take at least three to five times longer to create it. Traditional malware can be created by a student, this was done by a professional,” he said.