Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Security IT

Researchers Seek Help In Solving DuQu Mystery Language 131

An anonymous reader writes "DuQu, the malicious code that followed in the wake of the infamous Stuxnet code, has been analyzed nearly as much as its predecessor. But one part of the code remains a mystery, and researchers are asking programmers for help in solving it. The mystery concerns an essential component of the malware that communicates with command-and-control servers and has the ability to download additional payload modules and execute them on infected machines."
This discussion has been archived. No new comments can be posted.

Researchers Seek Help In Solving DuQu Mystery Language

Comments Filter:
  • It says... (Score:5, Funny)

    by Anonymous Coward on Wednesday March 07, 2012 @04:40PM (#39279511)

    NSA Property, Keep Out.

    • Re:NSA (Score:5, Insightful)

      by TaoPhoenix ( 980487 ) <> on Wednesday March 07, 2012 @05:40PM (#39280471) Journal

      Actually, I'll reverse the joke and gun for +1 Insightful.


      Literally why does this story even exist? This code takes out nuclear reactors and "researchers ask programmers for help"? Really?! (Does "Ask" imply they want the answer FREE?!)

      So the Dept of Homeland Security is busy helping yank down file share sites and they have no time for this?

      Ladies and Gentlemen and AI's, this is your answer to why we're spiralling into a mess.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        DHS, conspiracy theories aside, is likely conducting their own investigation into DuQu, the details of which are unlikely to be shared with the general public. TFA is about Kaspersky Labs, an independently owned security firm, asking for help from the general public.

        • DHS, conspiracy theories aside, is likely conducting their own investigation into DuQu

          No need for that unless they snuffed the original developer before securing the relevant docs.~

          • Re:NSA (Score:5, Funny)

            by lennier ( 44736 ) on Wednesday March 07, 2012 @08:48PM (#39282655) Homepage

            DHS, conspiracy theories aside, is likely conducting their own investigation into DuQu

            No need for that unless they snuffed the original developer before securing the relevant docs.~

            Hey, everyone makes mistakes. That drone was supposed to have been loaded with tranquilizer darts, not Hellfires. Boy, there were some red faces in the office when we found out what happened.

      • Re:NSA (Score:5, Insightful)

        by Baloroth ( 2370816 ) on Wednesday March 07, 2012 @06:05PM (#39280821)

        Literally why does this story even exist? This code takes out nuclear reactors and "researchers ask programmers for help"? Really?! (Does "Ask" imply they want the answer FREE?!) So the Dept of Homeland Security is busy helping yank down file share sites and they have no time for this?

        Why would DHS have anything to do with this? DuQu so far hasn't done anything to American interests (in fact, so far as I can tell, it has helped them). The people in TFA looking at the code are Kaspersky: a Russian anti-virus company. They don't even recognize the language the code is written in, much less how it works, and they are wondering if anyone of the billions of people on the Internet knows (specifically, if it is a a specialized language used in some niche industry or something). If no one does, they can be pretty sure it was a custom created language, and proceed accordingly. They aren't asking for someone to do their work for them: they are saying "hey, this look like anything anyone knows?" DHS might be looking at it too, if they didn't create it: but the story has absolutely nothing whatsoever to do with them, in any way. Not even the same continent.

        Also, I don't know where you got "takes out nuclear reactors." Stuxnet did damage to nuclear centrifuges. AFAICT all DuQu seems to be doing is stealing data (private keys, actually). Bad for people who get infected, yes. Not like it is causing nuclear meltdowns or something.

      • "This code takes out nuclear reactors and "researchers ask programmers for help"? Really?!"

        No, no DuQu does not, and has never attempted to, 'take out nuclear reactors.' That was a different piece of malware.

        It would benefit us all - as well as yourself - if before you commented you educated yourself on the subject of the submitted story.

    • Re:It says... (Score:5, Interesting)

      by Beardo the Bearded ( 321478 ) on Wednesday March 07, 2012 @05:41PM (#39280485)

      It looks to me to be the output from the PLC compiler. Clear, count, and compare are basic ladder logic commands.

      If you figure out which PLCs the Iranians are using that'll give you the compiler; each brand has its own and you're really unlikely to see it if you haven't used it. How many people here have used DirectSoft? Have you seen Schneider's programming interface?

      That would explain why the researchers haven't seen it. You rarely use PLCs outside of industry.

    • by chinton ( 151403 )
      No, it says "Seatec Astronomy".
    • Actually, it doesn't come from the NSA. The name resembles "Do cu", which is "from the ass" in Portuguese. There, now you know where it comes from.
  • by Oswald McWeany ( 2428506 ) on Wednesday March 07, 2012 @04:42PM (#39279541)

    The mystery code isn't really much of a mystery- it's just how Duqu communicates with the sith lord.

  • hmmm yes, your average script kiddie can totally create a custom language and totally stump the entire computing universe. my daughter did it last week while looking for proxies to get around my facebook ban. no government needed!
    • by Havokmon ( 89874 )
      You mean you're not already running a squid/dansguardian box with NTLM auth locally and blocking all other Internet access? :)
  • Learned INTERCAL [] from Guy Steele in the Comparative Languages course at CMU.

  • by Anonymous Coward

    It's in ROT-13 Pig Latin.

    I'll take my paycheck in gum, Trident Layers to be specific.

  • ...and here's me thinking that compiled code has already been reduced to machine code.

    • Re:Uhh what? (Score:4, Interesting)

      by Zocalo ( 252965 ) on Wednesday March 07, 2012 @05:16PM (#39280103) Homepage
      Of course it has, but that's not the point. There's potentially something unusual here, so if you can work out what language/compiler/linker was used there might be a clue to the identity of the code's author(s). It wouldn't be the first time that a piece of malware has been written in an experimental language developed for educational purposes and seldom, if ever, seen outside that educational establishment. It would only be circumstatial evidence of course, but it's still better than nothing and might help narrow the field enough to get a lead on the authors.
      • by spads ( 1095039 )
        Could be that it's a completely custom compiler which the thing downloads then wipes after use. Unless someone recognizes the language, it might be quite hard to figure out.

        "This compiler will self-destruct in 10 seconds - 'squelch...'"
        • Or just a regular code obfuscator.

          • Regular code obfuscators are pretty obvious to spot, and you can usually fingerprint which obfuscator was used, if it wasn't homemade. Whatever this code is, it's not something you see in every day asm.

    • by Anonymous Coward

      Assembler is a 1-to-1 correlation with machine code. Simple software can switch between the two.
      As explained in the article (blasphemy, I know), high-level languages and the compilers they use tend to leave evidence in the machine code, which can be recognized by some of the real code-nutters when decompiled into assembler.

      • by rev0lt ( 1950662 )
        I've seen hand-written assembly listings and guessed correctly how many programmers worked on it, and which ones did what. Most compilers do leave a signature, specially if the code is compiled with optimizations - there are many ways of implementing the same base algorithms, and the key tricks show on the disassembly.
    • Re:Uhh what? (Score:4, Insightful)

      by 19thNervousBreakdown ( 768619 ) <davec-slashdot AT lepertheory DOT net> on Wednesday March 07, 2012 @05:48PM (#39280583) Homepage

      A compiler takes your high-level language instructions, and generates the many, many low-level instructions it might take to express a given high-level instruction. The thing is, much like there's many ways to write a cover letter for a resume, there's a lot of different ways to do that high->low expression, but a compiler writer is unlikely to bother with more than one way, or maybe a couple others if there's some benefit to doing so.

      A person on the other hand, will have all sorts of random variations in what they write. Oh, they'll come up with certain ruts, and have a certain style, but the won't be exactly the same every single time.

      Compilers also do useless stuff. For a car analogy, it's kind of like the tow hooks under your bumper--most of the time they aren't used. A person isn't going to bother to put them there if they're not currently needed or they can envision a need for them--a compiler never forgets to put those hooks there, and sometimes puts them there even when it's redundant. Optimization gets rid of that kind of thing, but no compiler is perfect, and they're often conservative.

      • by Anonymous Coward
        +1 CarAnalogy
  • that's just a guess

    but the level these guys are working at here, something well above script kiddie and slightly below elder neckbeard, it seems entirely plausible to me

    • by spads ( 1095039 )
      I think it could be even well above the advanced neck beard. These guys wanted to do all the damage possible, without giving them any technology they could figure out and use.
      • Well, if it's above the advanced level of Neck-beard the Gray then it's even more advanced than something like a tiny VM that interprets encrypted bytecode and has re-allocatable variable width opcodes such that the second time you encounter an instruction it may not do the same thing. Eg: my opcodes are Arithmetic encoded and encrypted with an evolving 12bit block cipher; Additionally, each execution swaps a few "function pointers" that the op-codes invoke. The compiler for my VM makes several passes to discover the optimal compression, encryption, and initial opcode-to-action table to use. To reverse engineer such a beast requires manually stepping through machine code from the very first instruction -- That is, given a partial sample of code: no amount of visual analysis will reveal what it does. The language used to write programs for it? ASM, or a subset of C; Though it could be Java, Python or any other high level language -- That's the beauty of compilers.

        Not saying this is what's been done, just that I've done and seen some VERY wicked code. I once cracked DRM that was implemented in enciphered MIPS and used such an embedded VM. It looked like the input language for the generated opcode was C.

        The government employees paid to come up with such a thing would be at most on-par with the masses of crypto nerds that joygasm over such things -- Who do you think they would hire? There's not some magical government-only breed of human with super hacker powers... Ergo, they must hire from the available pool of people, and since they don't hire us all, or even necessarily the absolute brightest, the highest level of hackerdom they could employ would be on-par with "the advanced neck beard" at most.

        • fine, you've made your point

          but the official coder manual officially classifies neckbeards as

          young neckbeard, adult neckbeard, elder neckbeard, and ancient neckbeard

          with Hit Points 100, 300, 700, and 1500, respectively

          the ancient variety is allowed to cast Befuddlement at will with a savings throw adjustment of -6 on your character's intelligence rating. i see you tried to cast that spell in your past post

          but i have no idea what this "advanced" neckbeard is you refer too. i don't think such a neckbeard classification exists... oh shoot, did you just Befuddle me?

          fine, i'll wait out the next 3 turns


  • by blueforce ( 192332 ) < minus city> on Wednesday March 07, 2012 @05:27PM (#39280279) Homepage Journal
    Objective-Brainfuck or Brainfuck with Classes
  • Could it be possible that the authors came up with their own language, and/or compiler?
  • erlang (Score:5, Insightful)

    by slew ( 2918 ) on Wednesday March 07, 2012 @06:04PM (#39280815)

    My guess is that it's probably erlang. It fits all the descriptions of how erlang works. Erlang is used in all sorts of realtime systems, it wouldn't be a stretch to see that it was used in a virus library. Someone that is in the Telecom or Network infrastructure industry might be familiar with Erlang and that type of person might also be the same type of person that knows enough about networks and network vunerabilities to architect a framework for virus distribution.

    • by tibit ( 1762298 )

      +1 insightful. I haven't thought of Erlang!

    • by Panaflex ( 13191 )

      But wouldn't erlang would have separate functions for each callback? Everything else is very similar.

      Another architecture this looks similar too is the X Toolkit event library...

  • by 0100010001010011 ( 652467 ) on Wednesday March 07, 2012 @06:12PM (#39280891)

    That clearly looks like perl to me.

  • They don't know the language? Why are they concerned with the language it was written in? What if it was written in C++ or C on ARM and cross compiled for x86, would it look funky like that? Or is it possible it's compiled in TASM and they are actually looking at a 16-bit code segment where most of them have never seen less than 32-bit code?
  • by Eponymous Coward ( 6097 ) on Wednesday March 07, 2012 @06:17PM (#39280963)

    "Be sure to drink your Ovaltine."

  • This looks a lot like "Spin" from a company called parallax. It's a proprietary programming language used to control their pic and hyperpic processors.
  • One of the comments on the page already said that.

    I remember I disassembled Forth a lot of years ago.
    It comes in 2 flavours: interpreted and compiled.
    It relies on RPN heavily.
    It's a very compact language, both in source and in compiled form.
    You extend the language by using "words", and it's like OOP.

    It's one of the weirdest language I ever used.

  • ... it's Java!

"How many teamsters does it take to screw in a light bulb?" "FIFTEEN!! YOU GOT A PROBLEM WITH THAT?"