Experts Ask for Help in Solving Duqu Cyberweapon Mystery
Was Count Dooku responsible for Duqu? We may never know for sure.
VANCOUVER, British Columbia — A researcher from a leading Internet security firm appealed to his colleagues and the larger security community to help get him closer to the heart of the mysterious "Duqu" Trojan.
In a presentation yesterday (March 7) at the CanSecWest security conference here, Roel Schouwenberg, senior researcher for Kaspersky Lab, said that after countless hours conducting forensic investigations into Duqu, he and his team were still unable to identify the programming language used to craft the dangerous cyberweapon.
"We are kind of puzzled by the fact that even after spending so many hours, we still don't know what this coding language is about," Schouwenberg said.
Discovered last October by a Hungarian security firm, Duqu spreads through spear-phishing emails. It uses a "dropper" embedded in a rigged Microsoft Word document to burrow into PCs and load a driver into the Windows kernel. Duqu's targets are believed to include power and energy industry targets, supply chains and military targets, mainly in Iran but also in Europe.
When its code and components were analyzed, Duqu was found to have startling similarities to Stuxnet, the sophisticated worm that infected and disrupted Iran's Natanz uranium-enrichment plant in 2010. Stuxnet's authors are unknown, but experts agree it was created by a well-financed national intelligence service, most likely American or Israeli.
Schouwenberg's presentation coincided with a blog post from his Kaspersky Lab colleague, Igor Soumenkov. While Stuxnet was compiled with Microsoft's Visual C++ package (MSVC++), Soumenkov said, Duqu's framework was written in an unknown programming language. It wasn't MSVC++, C++, Objective C, Java, Python or many other languages tested.
Soumenkov called this puzzling discrepancy "one of the defining particularities of the Duqu framework."
"We would like to make an appeal to the programming community and ask anyone who recognizes the framework, toolkit or the programming language that can generate similar code constructions, to contact us or drop us a comment in the blogpost," Soumenkov wrote. "We are confident that with your help we can solve this deep mystery in the Duqu story."
Schouwenberg echoed his colleague, inviting those in attendance to take up the case of the mysterious Duqu programming language on their own.
Schouwenberg said, "We've spent many, many, many hours, and gone through many different [programming] languages. If you could please have a look, that'd be great. Maybe someone can identify if this is something new that we didn't see."