New malware based on one of the world’s most sophisticated viruses,
Stuxnet, caused a world wide stir last October when it was revealed. As we reported the new threat was dubbed Duqu because it created files with a “DQ” prefix.
Since its discovery researchers had been extensively analyzing the
code, but had been unable to trace exactly what it was. Then on March 7
Moscow-based Kasperky Lab published a blog post asking for help and, in
fascinating detail, Wired describes the detective work that happened next.
Most commenters who wrote in response to Kaspersky’s plea
thought the code was a variant of LISP, but the reader who led them in
the right direction was a commenter who identified himself as Igor
Skochinsky and wrote in a thread posted to Reddit.com that he was
certain the code was generated with the Microsoft Visual Studio Compiler
and offered some cogent reasons why he believed this. Two other people
who sent Kaspersky direct emails made crucial contributions when they
suggested that the code appeared to be generated from a custom
object-oriented C dialect — referred to as OO C — using special
This led the researchers to test various combinations of compiler and
source codes over a few days until they found the right combination
that produced binary that matched the style in DuQu.
The magic combination was C code compiled with Microsoft Visual
Studio Compiler 2008 using options 01 and Ob1 in the compiler to keep
the code small…
The idea that the coders are “old school” is also supported by their
use of C over the more modern C++ language. Some commenters told
Kaspersky that coders who were actively programming a decade ago didn’t
like C++ because, when compiled, it was known to produce code that could
It suggests that whoever coded this part of DuQu was conservative,
precise, and wanted 100 percent assurance that the code would work the
way they wanted it to work.
So from the painstaking research work done by Kaspersky Labs it would
seem that “Son of Stuxnet” was created by older, precise and
conservative coders wanting to create a robust and flexible malware
tool. It is not too hard to figure out what type of perpetrator is