Sometime later, Duqu Trojan increasingly popular as a dangerous malware targeting intelligence. Duqu was first discovered in September 2011. However, according to Kaspersky Lab, the Duqu trace has been tracked since August 2007. Kaspersky Lab found that Duqu Trojan written in a programming language that is not known. Duqu a sophisticated Trojan that was created by the same people who make Stuxnet. This malware has a goal as a system backdoor and facilitates the stealing of confidential data.
Kaspersky recorded the biggest victims in Iran. Duqu generally looking for information about production management systems in various industrial sectors, as well as information about trade relations between the several companies in Iran.
The unsolved biggest mystery of Trojan Duqu is how the program communicates with the server Command and Control (C&C) when successfully infect a victim. Duqu module whose role is to interact with the C&C is part of the payload DLL Duqu. After a comprehensive analysis of payload DLL, Kaspersky Lab researchers found there was a special section in payload DLL, specifically communicating with C&C, written in a programming language that is not known. Kaspersky Lab researchers call this unknown part as “Duqu Framework”.
Unlike other Duqu, the Duqu Framework is written in C++ and compiled with Visual C++ 2008 Microsoft. Author Possible uses an in-house framework to generate intermediary C code or use a programming language that is completely different. However, the researcher Kaspersky Lab has stated that the language is object-oriented and conducted a number of activities in accordance with the application network.
Duqu Framework Language very special and Payload DLL allows to operate independently with other Duqu module and connect it to the C&C through several channels such as Windows HTTP, network sockets, and proxy server. It also allows Payload DLL process the request HTTP server directly from the C&C, secretly move the duplicate information that was stolen from the infected to the C&C, can even distribute the payload other hazardous into other devices in the network, and creates a form of control and the latent spread infection to other computers.
“Given the scale of Duqu project, possibly who created Duqu framework is its own team that different than the group that created the driver and writing system infection that exploited,” said Alexander Gostev, Chief Security Expert Kaspersky Lab. “Given the high level of customization and exclusivity on the programming language was created, it is possible this program was created not only to prevent outsiders know the spying cyber operations and its interaction with the C&C, but also to distinguish it from others internal groups Duqu are responsible for writing another part of this program.”
According to Alexander Gostev, making its own programming language shows how high the ability of developers program working on this project, and demonstrate the ability of financial and human resources are mobilized to ensure the project runs.
Kaspersky Lab invites a community of programmers or anyone who recognizes the framework, toolkit, or unknown programming language, Duqu Trojan, to contact [email protected].