Kaspersky security researchers analysing the Duqu malware have unexpectedly hit a wall, stumped by code that appears to be written in an unknown programming language, and are now appealing to the public for anyone that might recognise it to come forward.
Kaspersky Lab's analysis has already revealed that Duqu is likely created by the same authors as Stuxnet, by revealing the similarities between the platforms used to create both trojans. However, in their most recent research, security experts Igor Sourmenkov and Costin Raiu have come across code that doesn't appear to be written in any language they've seen before.
The Duqu trojan uses a dynamic link library (DLL) to communicate with a command and control server after it has infected a victim's machine. This DLL operates independently of Duqu's other modules and provides the trojan with several vectors through which it can phone home, such as through an HTTP server, via a proxy or through other network sockets.
It also delivers stolen information from the victim's machine to the command and control server and enables Duqu to spread to other machines on the network.
(Credit: Kaspersky Lab)
While the DLL is mostly written in native C++ code, the segment used to actually contact the command and control servers is not. Kaspersky Lab has called this the Duqu Framework and it has the researchers stumped.
According to the researchers' most recent post, the framework doesn't contain any references to standard or user-written C++ functions, but appears to be object-oriented. Additionally, the framework appears to be event-driven, resembling Objective C, but not containing any references to the language or appearing to be compiled with any known Objective C compilers.
In addition to C++, the researchers have ruled out Java, Python, Ada, Lua and many other languages.
At the moment, the researchers suspect that the authors wrote the code using an in-house framework to generate intermediary C code, or that a completely different programming language was used. They are now calling on anyone that recognises the language or knows of tools that can generate similar code to contact them.
Kaspersky Lab's chief security expert Alexander Gostev has speculated that the team who wrote the framework was an entirely different team to the one that wrote parts of Duqu responsible for exploiting a victim's machine.
"It is also possible that it was made not only to prevent external parties from understanding the cyber-espionage operation and the interactions with the [command and control servers], but also to keep it separate from other internal Duqu teams who were responsible for writing the additional parts of the malicious program," he said in a statement.
Kaspersky Lab has posted examples of the code on its blog for anyone to inspect and leave comments.