Monday, March 12, 2012

Duqu trojan payback for decommissioning old IBM systems


Our society is more and more depending on computers. Financial transactions are done mosntly via computer transactions, industries are depending on it and armed forces are mostly blind and without information if the IT systems supporting them stop working. We do have to worry about solar storms knocking out most of our modern day communication channels and systems however somewhat closer to earth we also have some things to worry about.

One of the threads we have to worry about and which is coming from our own planet is the fact that criminals and not only criminals but also the military and secret service of countries are working on very advanced technology to knock out systems, break into them or cause other distortion and theft. We are not talking about hackers, as I still do have a mindset in which I see hackers as the good guys who do play intelligent games that sometimes are just reaching over the line of the officially legal. However in my opinion hackers are still the good guys.

It is the people who turn to the true dark side and do sell their craft to wealthy criminal organizations. Some very gifted developers and computer scientists go for the big bugs and do not care about what they develop and with what intention it will be developed.

The second group is the group of computer scientists who do sell their craft to governments in the form of working for an army of secret service. This group is somewhat more discussable on the fact if they go for the monetary pleasure or not. It is without any doubt that governments are willing to pay top dollar for gifted developers and computer scientists however we have to keep in mind that one man his terrorist is the other his freedom fighter.  We can state we do agree or disagree with some of the thoughts of other governments however I do think that this is less dollar driven.

That a lot of money is paid to developers to develop virus code and tools to cause mayhem is shown again by the people from the Kaspersky security lab. The Kaspersky lab is currently trying to find out how the new Duqu Trojan is developed and how it is working. What they have found up until now is what it is doing and how it is communication. The scary part however of this Trojan is that it is developed in a language that we do not know. It is tested to see if it is developed in C++, Objective C, Java, Python, Ada, Lua, or any other languages however all tests are currently negative.

Developing a new programming language is a very long and costly process and will need very experienced developers. Developing a new programming language needs a wealthy backing in the form of a government or very wealthy criminal syndicate. However there is another option, the option that it is not a new language however a very old language.  Some people claim that it might be the result of an old IBM compiler used in OS400 SYS38 and the oldest sys36 systems.

That code looks familia:r
The code your referring to .. the unknown c++ looks like the older IBM compilers found in OS400 SYS38 and the oldest sys36.




The C++ code was used to write the tcp/ip stack for the operating system and all of the communications. The protocols used were the following x.21(async) all modes, Sync SDLC, x.25 Vbiss5 10 15 and 25. CICS. RSR232. This was a very small and powerful communications framework. The IBM system 36 had only 300MB hard drive and one megabyte of memory,the operating system came on diskettes.


This would be very useful in this virus. It can track and monitor all types of communications. It can connect to everything and anything.

Some parts of the current Duqu Framework are “simple” C++ code however some parts are written in the unknown code which might be related to the above quote from As400tech (looking at his knowledge and his name would be a very experienced AS400 developer). If this turns out to be true it could mean that it could be that the developer of this part of the Trojan is an experienced AS400 developer. As we see that companies are decommissioning AS400 systems daily and that they leave an entire community of AS400 developers behind without a proper job this could mean a large group of people comes to the market that are potentially very interesting to governments, secret services and criminal syndicates. Whoever stated that AS400 developers where out of the market was apparently wrong.

However, it is only a thought of one person and not necessarily correct. Some people do think it is coded low level assembly code. This would mean that someone has taken the task upon himself to write all the assembly code himself instead of using a compiler to build it into machine language. However the person is who created the Duqu Trojan (and the Stuka) it must have been a very good programmer or a team of good programmers ( in my humble opinion).

You can condemn the writing of such a code from an ethic and moral point of view, you can agree with it, in any case whatever your point of view on this is you have to admire the craftsmanship of the developer.

Post a Comment