

DuQu Mystery Language Solved With the Help of Crowdsourcing - jaryd
http://www.wired.com/threatlevel/2012/03/duqu-mystery-language-solved/

======
Jach
HN's previous speculation: <http://news.ycombinator.com/item?id=3682280>

As for this Wired article, feel free to stop reading after:

> A custom framework allowed DuQu’s authors to meld C code with object-
> oriented programming.

The rest is just Costin Raiu spewing bullshit.

~~~
inchcombec
Eugene Kaspersky's twitter comment seemed a lot more speculative than anything
I heard Costin Raiu say. Exact quote:

"The mystery of #Duqu framework <http://bit.ly/w5BrzP> <\- seems the state
behind #Duqu sponsored the development of a new progr language"

I don't even do much programming and I was immediately wondering "wtf?" at
that statement. The idea of developing a new programming language just to
create a worm seemed far fetched, to say the least. He also mentions, as if it
were fact despite that I've seen no hard evidence supporting it, that DuQu was
created by a nation state. The whole thing just reeked of alarmist cyberwar
nonsense.

~~~
jaryd
While I agree that it is reasonable to expect trending towards an alarmist
reaction, there are significant enough similarities between DuQu and Stuxnet
to suggest that the authors of the former had access to the source code of the
latter. If you read the W32.Stuxnet Dossier
([http://www.symantec.com/content/en/us/enterprise/media/secur...](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf))
from Symantec it pretty objectively articulates the complexity and
sophistication of the creation of Stuxnet. I personally don't think it's an
alarmist opinion to believe Stuxnet had national interest behind it, and so am
pretty wary of DuQu until more information is uncovered.

~~~
inchcombec
There are significant similarities between DuQu and Stuxnet, agreed. However,
I don't think that necessarily means they share the same author. Stuxnet has
been widely distributed and analysed. There are a lot of smart people/groups
in this world and one of them could have decided to use it as a starting point
for other purposes. I also agree that it isn't alarmist to believe Stuxnet had
a national interest behind it, there has been significant research and
evidence to support that, but that is Stuxnet, not DuQu. Again, since DuQu
came after Stuxnet it is quite possible that another group is responsible for
DuQu that is not related to the original. Although, I do also think that being
wary of DuQu until more information is uncovered is wise. I just don't like
how the comment about it being created by a nation state is thrown in there
casually as if it were already an accepted fact when it is not.

~~~
jaryd
Agreed!

------
apaprocki
Igor's comment on Reddit referenced in the article:

    
    
      [–]igor_sk 8 points 9 days ago
      They're wrong, or, rather, they did not express their 
      thinking well. They do add "It is possible that its authors 
      used an in-house framework to generate intermediary C code" 
      [which was then compiled with MSVC], and this, I think was 
      exactly the case. I even found something that matches very 
      closely after a hint over at /r/ReverseEngineering: Simple 
      Object Orientation (for C).
    

My comment on HN: <http://news.ycombinator.com/item?id=3682531>

Just saying.. :)

~~~
obtu
In context:
[https://pay.reddit.com/r/programming/comments/qnyy9/duqu_tro...](https://pay.reddit.com/r/programming/comments/qnyy9/duqu_trojan_written_in_mystery_programming/c3z8qhg?context=5)

------
sendos
* "So you will never code a constructor directly [in C++]. Instead, the compiler codes the constructor for you [and] basically you lose control of the whole thing"*

Utter rubbish. One wonders how he got to be "director of Kaspersky’s Global
Research and Analysis Team" if his knowledge is so limited

~~~
evincarofautumn
This gave me a chuckle too. But hey, if the guy wants to display his lack of
C++ knowledge, he can go for it. His skills and experience are probably just
in different areas, that’s all.

------
bh42222
If you are an experienced C/C++ hacker, this article will hurt your brain.

~~~
RandallBrown
Seems legit to me. I've been writing C++ for years and never had to write a
constructor...

~~~
cecilpl
Then I must say you're either not writing very good code, or you're writing C
and calling it C++.

~~~
RandallBrown
The ... was meant to imply sarcasm. Sorry I wasn't more clear.

~~~
cecilpl
Oh sorry, I hadn't had any coffee yet and just finished reading the daily wtf.
:)

------
aercolino
> It suggests that whoever coded this part of DuQu was conservative, precise,
> and wanted 100 percent assurance that the code would work the way they
> wanted it to work.

That limits possible authors to all programmers in the world.

~~~
georgemcbay
You haven't worked with very many other programmers, have you?

------
jgw
I actually found myself disappointed that it turned out to be something as
pedestrian as C on Visual Studio - I thought (hoped?) it would be something
really obscure and exotic.

I confess that I'm tickled silly by the whole mystery of Stuxnet. It must have
been a fascinating project to work on.

~~~
gaius
We do now know however that one compiler flag is all it takes to throw off
professional, full-time reverse-engineers. That's got to be valuable to
someone.

~~~
lukeschlather
Well, to be fair, according to the article it was _two_ compiler flags.

~~~
gaius
Either way, Team Kaspersky didn't exactly cover themselves in glory. Probably
the 2nd most used compiler on the planet, in the most obvious language. God
help them if someone really did confront them with an exotic language.

------
munin
this was blindingly obvious to anyone that does anything with compilers and
reverse engineering. there are some really big clues: the access to C
functions from win32 is direct, with no visible FFI. the generated code has a
lot of qualities shared with C code, in terms of control flow and stack usage,
and it had a lot in common with the MS C compiler based on how it uses the
stack.

that it deceived kaspersky this long is frankly disturbing.

~~~
runjake
Hindsight is 20/20.

It may have seemed obvious in hindsight, but some pretty bright people were
looking at it, including compiler people at MS.

If it were truly so obvious, it's a shame you didn't end everyone's troubles
when the mystery was originally posted here.

~~~
munin
I didn't see the discussion on HN :)

it was posted to some (private) mailing lists I'm on, and I posted exactly the
same thing there.

------
keshet
"..because, when compiled, it was known to produce code that could be
unpredictable."

All the code I write is unpredictable when compiled. Such is the life.

------
timtadh
Here is the blog post from Kaspersky:
[http://www.securelist.com/en/blog/677/The_mystery_of_Duqu_Fr...](http://www.securelist.com/en/blog/677/The_mystery_of_Duqu_Framework_solved)

All of the posts on Duku are pretty interesting. If you have a few minutes you
should check them out.

------
danbmil99
That clears it up -- it must have been Linus.

<http://news.ycombinator.com/item?id=687587>

------
hsmyers
Well we already know that crowdsourcing works for funding---that it works for
coding is no surprise. The folks over in Bio have learned that lesson. All of
which makes me wonder about a future (at least to me) formal mechanism to
allow projects to adopt crowds as part of their overall coding methods.
Parsing the useful from the cruft might be a pain, but it seems like it might
well be worth it depending on the need and circumstances.

~~~
RandallBrown
Most big open source projects take advantage of crowdsourcing. Firefox and
Chrome are two of the bigger examples.

