The Mystery of the Duqu Framework

realbasic

Could it be realbasic?

That code looks familiar

The code your referring to .. the unknown c++ looks like the older IBM compilers found in OS400 SYS38 and the oldest sys36.

The C++ code was used to write the tcp/ip stack for the operating system and all of the communications. The protocols used were the following x.21(async) all modes, Sync SDLC, x.25 Vbiss5 10 15 and 25. CICS. RSR232. This was a very small and powerful communications framework. The IBM system 36 had only 300MB hard drive and one megabyte of memory,the operating system came on diskettes.

This would be very useful in this virus. It can track and monitor all types of communications. It can connect to everything and anything.

Re:

Thank you!

Re: Language ideas

It is definitely not a CLR based language. Native code only.

Re: Its Iron Python

No traces of the .NET framework or JIT.

Re: Guess

We've tried D, too.

Re: WEB Guess

The Duqu Framework shares many principles of libevent, but it is completely object-oriented, even all events and callbacks are wrapped in objects.
Some APIs that are called by the Duqu event monitor object are not present in sources of libevent.
Anyway, we should study the sources of libevent again, to be 100% sure. Thanks!

Re: My first thought...

We tried Vala, too. Unfortunately, the generated code is completely different.

Re: Google's Go language?

Go was one of the first languages to check. That's definitely not Go.

Different

Rather than listing all programming languages .. when I was much younger I took assembler output from compilers and modified it.
Now for a serious amount of code that would be far too much effort, I'll be the first to admit that.
What if the programming team is not a commercial organisation, and doesn't care about spending a few weeks on this..?? the resulting code would have an uncertain, and unknown signature, somewhat close to an as yet unknown programming language.

Re: It's most probably Lisp, inspired by Mosquito Lisp

Thank you Wes! Could you please suggest a Lisp implementation that we should check in the first place?

Destructors may be a clue

The presence of destructor functions in all classes, which (if I'm reading your sample correctly) deallocate memory as well as releasing anything else owned by the object, may be an important clue. Deterministic destruction, as opposed to garbage collection, is a feature very few languages have. It certainly rules out several of the suggestions in the comments, such as Lisp or JavaScript.

C++ is the only language in which it's a commonly used idiom; the only other languages I know of that make it available (but not often used in practice) are Python (only in CPython), Perl 5, and the most recent incarnation of Objective-C. (Maybe D, I'm not sure.) You seem to have checked all those.

SCIL in microSCADA

Have you tried looking at this? it drags its own event loop because of it history.

It's been a looooong time since I've worked on them, but this does smell to me a little bit like something that'd come out of an AS/400 compiler as well. RPG/400? But not sure why that'd be the way to go to code for Windows.

Re: Re: It's most probably Lisp, inspired by Mosquito Lisp

It's probably the Ferret Lisp to C++ compiler ( http://nakkaya.com/2011/06/29/ferret-an-experimental-clojure-compiler/ )

"Ferret: An Experimental Clojure Compiler

Ferret is an experimental Lisp to C++ compiler, the idea was to compile code that is written in a very small subset of Clojure to be automatically translated to C++ so that I can program stuff in Clojure where JVM or any other Lisp dialect is not available. "

Lisp to C++ compiler

It's probably the Ferret Lisp to C++ compiler ( http://nakkaya.com/2011/06/29/ferret-an-experimental-clojure-compiler/ )

"Ferret: An Experimental Clojure Compiler

Ferret is an experimental Lisp to C++ compiler, the idea was to compile code that is written in a very small subset of Clojure to be automatically translated to C++ so that I can program stuff in Clojure where JVM or any other Lisp dialect is not available. "

Re: Destructors may be a clue

Good thought on destructors. On other possibility: In Ada, overriding the Finalize procedure creates a destructor for an object. Described here: http://en.wikibooks.org/wiki/Ada_Programming/Object_Orientation#Destructors

Re: Guess: Ada tasks?

It's also interesting to note:
- The GNU Ada reference library (GNARL) has a function InitializeCriticalSection. Critical sections are commonly used in Ada tasks, such as to implement synchronization by monitors and semaphores.
- You can build Windows DLLs with the Ada GNAT compiler. See http://www.adacore.com/wp-content/files/auto_update/gnat-unw-docs/html/gnat_ugn_38.html.
- See later post: Object-oriented Ada does allow you to implement destructors for your objects:
http://en.wikibooks.org/wiki/Ada_Programming/Object_Orientation
- Ada is not used by many people, but is used widely in government and defense.

Embedded systems compiler?

The description of the features identified makes me think that you are looking at code from a compiler that targets devices. The giveaway is the lack of inheritance in an object based system and the ability to pass the "this" pointer in multiple ways. Those are features that can be useful in a resource constrained system. I would look at something like QNX or a competitor.

Re: Re: It's most probably Lisp, inspired by Mosquito Lisp

Igor,

Your first mistake is assuming that they are using an off the shelf compiler. Scott Dunlop wrote Mosquito Lisp, which is an entire virtual machine with a byte code language and a dialect of Scheme combined with Lisp in about nine months or so.

Someone who is smart and motivated, as the Duqu people were, could dedicate someone to writing a compiler in-house in the same timeframe, but targeted towards x86 object systems -- we could have done this, but we wanted to transmit byte code and be portable across multiple architectures. Different goals here. You also presume that they are using an off the shelf linker. Mosquito Lisp and Wasp Lisp append byte code to the end of the VM stub.

-Wes

Re: Re: Re: It's most probably Lisp, inspired by Mosquito Lisp

Probably not. Duqu and Stuxnet components date to 2007, predating this. I would also point out that as of 2006, this particular technique of a virtual machine to evade detection and reverse engineering was known.

The object system matches what I remember of Wirth's Oberon. In Oberon, an object was really just a struct with method pointers. Conventionally you'd place them at the beginning the struct, but you didn't have to. The "this" pointer had to be passed manually (normally as the first parameter, but this was not required). Inheritance was done by specifying that struct B should start with the same members as struct A.

However using Oberon today would be very anachronistic, and the object system is so minimal that it must have been many independent creations.

object oriented C

Is there any reason why this isn't simply C-code written in an object oriented fashion? Putting a function pointers into structs looks like classes, when you are explicitely passing "this" around as a function parameter then you might sometimes choose to use the 2nd or 3rd argument for it, if the compiler only puts the first 2 arguments into registers and the other arguments on the stack...

At least I like to code in C and often find myself using function pointers and an object-oriented style where it makes sense.

Small Talk

Could this be a variant of SmallTalk?

Go

Is it... Google Go?

Re: Go

The destructors may point in another direction though.

Re: Re: Go

Or has anyone mentioned REALbasic yet? It would probably plug in well in Visual Studio. It would also be prestigious to create a potent virus in Basic.

Possiblities

Borland Delphi? (although if it was Delphi, there would be specific strings in there that would identify it)
C code written to fake object orientation using structures? (glib for one does stuff like this and its not unheard of in other circles)
Whatever it is, its clearly not some sort of blah-to-C++ converter otherwise the output would look like the output of a C++ compiler.

I think that posting any strings from the exe might help identify the compiler, as would identifying any signatures of the linker or the compilers used for other bits of code. If its known that Microsoft Visual C++ was used for other parts of the code, that would probably rule out compilers where the output isn't compatible with Visual C++.

Also examining the memory allocation functions (labeled new and free in the above images) might narrow down if they match any known language or if they are custom written.

EDIT:
I didn't see the mention that the visual C++ 2008 linker was used.

That rules out Delphi and probably Borland C++/Borland C++ Builder.

I still think there may be strings in there that hint at the compiler or that the memory allocate/free functions could give clues (or that details of which dlls it imports from and which APIs it imports could rule in or out possible options)

I can also rule out GCC G++ from the look of the ASM, its definatly not any version of GCC G++ that I know of.

Interesting

Considering it uses destructors, plus the payload had something to do with breaking non windows systems in a nuclear facility (windows would be exclusively for reading data), plus real-time implications, I would suggest the assembler for a HEX/ROM file generated by a tool like Paradigm C++ destined for an old 386 or 486. If they had a windows box reading data through RS232 from a critical subsystem, and the port wasn't configured exclusively for output, it would be very possible to drop a new ROM into the subsystem. Lots of really weird implications if this is true.

Thanks for the post Igor, this was a lot of fun!