Eugene Kaspersky's twitter comment seemed a lot more speculative than anything I heard Costin Raiu say. Exact quote:
"The mystery of #Duqu framework http://bit.ly/w5BrzP <- seems the state behind #Duqu sponsored the development of a new progr language"
I don't even do much programming and I was immediately wondering "wtf?" at that statement. The idea of developing a new programming language just to create a worm seemed far fetched, to say the least. He also mentions, as if it were fact despite that I've seen no hard evidence supporting it, that DuQu was created by a nation state. The whole thing just reeked of alarmist cyberwar nonsense.
While I agree that it is reasonable to expect trending towards an alarmist reaction, there are significant enough similarities between DuQu and Stuxnet to suggest that the authors of the former had access to the source code of the latter. If you read the W32.Stuxnet Dossier (http://www.symantec.com/content/en/us/enterprise/media/secur...) from Symantec it pretty objectively articulates the complexity and sophistication of the creation of Stuxnet. I personally don't think it's an alarmist opinion to believe Stuxnet had national interest behind it, and so am pretty wary of DuQu until more information is uncovered.
There are significant similarities between DuQu and Stuxnet, agreed. However, I don't think that necessarily means they share the same author. Stuxnet has been widely distributed and analysed. There are a lot of smart people/groups in this world and one of them could have decided to use it as a starting point for other purposes. I also agree that it isn't alarmist to believe Stuxnet had a national interest behind it, there has been significant research and evidence to support that, but that is Stuxnet, not DuQu. Again, since DuQu came after Stuxnet it is quite possible that another group is responsible for DuQu that is not related to the original. Although, I do also think that being wary of DuQu until more information is uncovered is wise. I just don't like how the comment about it being created by a nation state is thrown in there casually as if it were already an accepted fact when it is not.
Igor's comment on Reddit referenced in the article:
[–]igor_sk 8 points 9 days ago
They're wrong, or, rather, they did not express their
thinking well. They do add "It is possible that its authors
used an in-house framework to generate intermediary C code"
[which was then compiled with MSVC], and this, I think was
exactly the case. I even found something that matches very
closely after a hint over at /r/ReverseEngineering: Simple
Object Orientation (for C).
* "So you will never code a constructor directly [in C++]. Instead, the compiler codes the constructor for you [and] basically you lose control of the whole thing"*
Utter rubbish. One wonders how he got to be "director of Kaspersky’s Global Research and Analysis Team" if his knowledge is so limited
This gave me a chuckle too. But hey, if the guy wants to display his lack of C++ knowledge, he can go for it. His skills and experience are probably just in different areas, that’s all.
> It suggests that whoever coded this part of DuQu was conservative, precise, and wanted 100 percent assurance that the code would work the way they wanted it to work.
That limits possible authors to all programmers in the world.
I actually found myself disappointed that it turned out to be something as pedestrian as C on Visual Studio - I thought (hoped?) it would be something really obscure and exotic.
I confess that I'm tickled silly by the whole mystery of Stuxnet. It must have been a fascinating project to work on.
We do now know however that one compiler flag is all it takes to throw off professional, full-time reverse-engineers. That's got to be valuable to someone.
Either way, Team Kaspersky didn't exactly cover themselves in glory. Probably the 2nd most used compiler on the planet, in the most obvious language. God help them if someone really did confront them with an exotic language.
>I wonder why this "research" hasn't been shut down by various governments. Yet. Unless it leads to a red herring.
Because anyone who stepped in to stop it would be basically admitting involvement. Right now the perpetrators are likely exactly where they want to be. Speculated on as a possibility, but unconfirmed.
this was blindingly obvious to anyone that does anything with compilers and reverse engineering. there are some really big clues: the access to C functions from win32 is direct, with no visible FFI. the generated code has a lot of qualities shared with C code, in terms of control flow and stack usage, and it had a lot in common with the MS C compiler based on how it uses the stack.
that it deceived kaspersky this long is frankly disturbing.
I agree. I personally can't believe Kaspersky were this incompetent. To me the entire thing sounds like a PR play. Just look at all the alarmist headlines they generated.
Well we already know that crowdsourcing works for funding---that it works for coding is no surprise. The folks over in Bio have learned that lesson. All of which makes me wonder about a future (at least to me) formal mechanism to allow projects to adopt crowds as part of their overall coding methods. Parsing the useful from the cruft might be a pain, but it seems like it might well be worth it depending on the need and circumstances.
As for this Wired article, feel free to stop reading after:
> A custom framework allowed DuQu’s authors to meld C code with object-oriented programming.
The rest is just Costin Raiu spewing bullshit.