The mystery rested in a section of code written an unknown programming language and used in the Duqu Framework, a portion of the Payload DLL used by the Trojan to interact with Command & Control (C&C) servers after the malware infected system.
Less than two weeks later, Kaspersky Lab experts now say with a high degree of certainty that the Duqu framework was written using a custom object-oriented extension to C, generally called “OO C” and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) with special options for optimizing code size and inline expansion.
Why did the authors of Duqu, which is assumed to be from the same creators as Stuxnet, use OO C? While there is no easy explanation why OO C was used instead of C++ for the Duqu Framework, Kaspersky experts say there are two reasonable causes that support its use: 1) More control over the code 2) Extreme portability
“These two reasons indicate that the code was written by a team of experienced ‘old-school’ developers who wanted to create a customized framework to support a highly flexible and adaptable attack platform. The code could have been reused from previous cyber-operations and customized to integrate into the Duqu Trojan,” noted Chief Malware Expert at Kaspersky Lab in a blog post. “However, one thing is certain: these techniques are normally seen by elite software developers and almost never in today’s general malware.”