来自卡巴斯基的求助:Researchers Seek Help in Solving DuQu Mystery Language
来源:互联网 发布:南方公园真理之杖mac 编辑:程序博客网 时间:2024/06/08 11:15
VANCOUVER, British Columbia — DuQu, the malicious code that followed in the wake of the infamous Stuxnet code, has been analyzed nearly as much as its predecessor. But one part of the code remains a mystery, and researchers are asking programmers for help in solving it.
The mystery concerns an essential component of the malware that communicates with command-and-control servers and has the ability to download additional payload modules and execute them on infected machines.
Researchers at Russia-based antivirus firm Kaspersky Lab have been unable to determine the language in which the communication module is written and plan to discuss the mystery code Wednesday at the CanSecWest security conference in Vancouver in the hope of finding someone who can identify it.
They’ve also published a blog post providing more information about the language.
While other parts of DuQu are written in the C++ programming language and are compiled with Microsoft’s Visual C++ 2008, this part is not, according to Alexander Gostev, chief security expert at Kaspersky Lab. Gostev and his team have also determined that it’s not Objective C, Java, Python, Ada, Lua or many other languages they know.
While it’s possible the language was created exclusively by DuQu’s authors for their project and has never been used elsewhere, it’s also possible it’s a language that is commonly used, but only by a specific industry or class of programmers.
Kaspersky is hoping that someone in the programming community will recognize it and come forward to identify it. Identification of the language could help analysts build a profile of DuQu’s authors, particularly if they can tie the language to a group of people known to use this specialized programming language or even to people who were behind its development.
DuQu was discovered last year by Hungarian researchers at the Laboratory of Cryptography and System Security at Budapest University of Technology and Economics.
The researchers examined the code on behalf of an unidentified company that was infected by the malware. The Hungarian researchers discovered that the code was remarkably similar to Stuxnet and concluded that it had been written by the same team. But although Stuxnet was designed to sabotage centrifuges used in Iran’s uranium enrichment program, DuQu’s purpose was espionage. Researchers believe it’s designed to gather intelligence about targeted systems and networks in order for its authors to then design other malware, such as Stuxnet, to sabotage those systems.
Kaspersky researchers have been analyzing the code and its command-and-control structure on and off for months. In that time, they’ve been unable to determine very much about the language in which DuQu’s communication module is written, except that the language is object-oriented and is highly specialized.
The module is an important part of DuQu’s payload — which is the part of DuQu that performs malicious functions once it’s on an infected machine. The module allows DuQu’s DLL file to operate completely independent of other DuQu modules. It also takes data stolen from infected machines and transmits it to command-and-control servers and has the ability to distribute additional malicious payloads to other machines on a network, in order to spread the infection.
It’s unclear why this part of the malware was written in a different language, but Gostev says it could be that it was simply written by a different team than the team that wrote the rest of the code. This team may have used this language simply because it was more familiar with it, or it had special properties for the tasks the team wanted to accomplish.
But, Gostev says, it could also be that DuQu’s developers purposely used a customized language for this part of the malware in order to prevent researchers and anyone else who might discover the code from fully analyzing it and understanding its interactions with command-and-control servers.
中文见:http://sd.csdn.net/a/20120309/312942.html
- 来自卡巴斯基的求助:Researchers Seek Help in Solving DuQu Mystery Language
- The Mystery of the Duqu Framework
- The Mystery of the Duqu Framework
- 求助!Help
- 转:来自Unix-Center.Net的求助
- java求助!!!!来自一位java的初学者!!!
- mystery
- Solving PDEs in Minutes
- Inner classes in Java, the mystery within.
- 求助:找不到指定的模块。 (异常来自 HRESULT:0x8007007E)
- Grounding Data Converters and Solving the Mystery of "AGND" and "DGND"
- 急!:帮忙做一个来自微软美国研发团队的民意调查-- Help us prioritize our future investment in Windows Workflow/Rules Designer re-hosting scenarios
- UPRMS1 Process in Message Solving
- Malicious Stored XSS Vulnerability in PayPal, Find Bitdefender Researchers
- sky3888 Register Mystery at the Mansion Slot In iBET
- solving
- 来自萌新~的求助 希望有经验的大神帮帮忙
- 全球范围内的CBR研究者(Researchers and Practitioners)
- javascript中的自执行匿名函数
- 不安装apk调用apk的方式
- Daily report 2012年3月9日
- matlb中计算时间的一些命令
- CDMA核心技术专利人是谁?
- 来自卡巴斯基的求助:Researchers Seek Help in Solving DuQu Mystery Language
- 使用Keil MDK运行第一个STM32程序
- 2012年3月9日C++学习笔记
- IM设计思考:试问
- <林锐高质量c/c++编程指南>记录 <续>
- Jfreechart中文API及画双Y坐标的折线图
- 了解boost库最为简单的timer组件
- c++程序编译过程总结(个人理解)
- 面向对象编程语言中的函数式编程--为命令模式和访问者模式正名