By: Nick Clayton, Wall Street Journal
New malware based on one of the world’s most sophisticated viruses, Stuxnet, caused a world wide stir last October when it was revealed. As we reported the new threat was dubbed Duqu because it created files with a “DQ” prefix.
Since its discovery researchers had been extensively analyzing the code, but had been unable to trace exactly what it was. Then on March 7 Moscow-based Kasperky Lab published a blog post asking for help and, in fascinating detail, Wired describes the detective work that happened next.
Most commenters who wrote in response to Kaspersky’s plea thought the code was a variant of LISP, but the reader who led them in the right direction was a commenter who identified himself as Igor Skochinsky and wrote in a thread posted to Reddit.com that he was certain the code was generated with the Microsoft Visual Studio Compiler and offered some cogent reasons why he believed this. Two other people who sent Kaspersky direct emails made crucial contributions when they suggested that the code appeared to be generated from a custom object-oriented C dialect — referred to as OO C — using special extensions.
This led the researchers to test various combinations of compiler and source codes over a few days until they found the right combination that produced binary that matched the style in DuQu.
The magic combination was C code compiled with Microsoft Visual Studio Compiler 2008 using options 01 and Ob1 in the compiler to keep the code small…
The idea that the coders are “old school” is also supported by their use of C over the more modern C++ language. Some commenters told Kaspersky that coders who were actively programming a decade ago didn’t like C++ because, when compiled, it was known to produce code that could be unpredictable…
It suggests that whoever coded this part of DuQu was conservative, precise, and wanted 100 percent assurance that the code would work the way they wanted it to work.
So from the painstaking research work done by Kaspersky Labs it would seem that “Son of Stuxnet” was created by older, precise and conservative coders wanting to create a robust and flexible malware tool. It is not too hard to figure out what type of perpetrator is suspected.