Saturday, January 7, 2012

Duqu "hints" of an alien architecture

My Quantum Leap Buzz "cyberwar dashboard" fired off a new alert to me about the Duqu command and control servers being "…written in a language the researchers had never seen before…"
The link cited an article, in which I found the following paragraph:
Another question is that one of the components for the Duqu command-and-control (C&C) servers was written in a programming language that the researchers had never seen before. "It was a very curious procedural language .. we don't know why they chose to write it in a different language, and we don't know what this language is," Raiu says. "Solving this [may] help us understand who created the communication module, or if different groups don't know about one another," for example, he says.
I've written multiple times about the "holy grail" of The Perfect Virus being Black Box Portability (principle #7). From this latest bit of intelligence (I really like running my own news-aggregation/analysis dashboard, rather than leaving it up to any news organization to tell me what THEY think is important), I make the following inferences:

  1. The creators of Duqu have made a government-level investment in attack architecture.
  2. The creators of Duqu are a Western goverment (most likely the U.S.).
  3. This may explain the slacking off of China's cyber misbehavior (ie; "There's a new sheriff in town.").
  4. If I were one of the whacky anarchists attacking supporters of SOPA (the Stop Online Piracy Act), I'd think twice about using extra-legal means, as hard prison time for a late-teen/twenty-something prisoner could have some nasty experiences in the general population of a federal prison.
Net net: You wild and zany guys from Anonymous/Lulzsec might line up some legal heavyweights. And when you decide to file lawsuits challenging SOPA, you might seriously considering filing in the jurisdiction of the only federal judge who knows dittley-squat about cyber law. That would be Judge Clark Waddoups in Utah, about whom I've opined over a year ago (see my article on how Judge Waddoups kept 1-800Contacts from hijacking the Internet).

I just got an email obviously sent by Anonymous to all of the Stratfor subscribers giving me George Friedman's mobile and home phone numbers, along with a spoof "butthurt" incident report website. While I am ashamed of myself for laughing so hard, especially since I think George Friedman and Stratfor have been pretty on the money in their analyses, I'm afraid that some hard jail time for the anonymous culprits will give their concept of "butthurt" a whole new meaning.

Oh, yes. And for those of you who are the least bit paranoid, I'd recommend getting your own BUZZ dashboard going and sending you cell phone text messages whenever the H5N1virus starts trending into your state. If you wait for the evening news to figure out there's a story afoot, it could be way too late for you and your family.


  1. -"The purpose of Du Qu and the mystery of the 36 days" (part one).

    -From i have read in:

    -Security experts are still analizing the code to determine what information contain:

    1) -Duqu gots its name from the prefix "-DQ" it gives to the names of files it creates.

    2) -SYMANTEC said:"nearly identical to STUXNET, but with a completely different purpose".

    3) -DELL SECUREWORKS reports that Duqu may not be related to STUXNET.

    4) -According to McAFFE, one of Duqu´s actions is to steal digital certificates (and correspondent private keys) from attacked computers to help futures viruses appear as secure sofware.

    5) -Discovered on 1 september 2011 by CrySyS (Hungary University).

    6) -Initial research indicates that the original malware sample automatically removes itself after 36 days (the malware stores this setting in a configuration files) which would limit its detection.

    + Then...

    a) -Du qu is a thief.
    b) -Du qu is white collar thief who steals QUality DocUments.

    -If "DQ" means "DocUments QUality" we Know that the authors are not anglophones.

    to be continued.

  2. Thanks, Joseph. The 36-day removal is similar to the Stuxnet death date, and Richard Clarke suggests that this is a U.S. Congress legal oversight condition that will (a) limit liability and (b) limit damage caused by a rogue virus.

  3. -"The purpose of Du-qu and the mystery of the 36 days" (part two).

    - KASPERSKY gives another explanation for "-DQ".
    - I think in Spanish, for this reason i write "Documento de Calidad = -DQ", not "Quality Document = QD" in english".

    -And now ...
    Why DUQU need 36 days?
    What happens in 36 days?
    Why it works for 36 days?

    -A white collar thief steals ... and...
    What is the best time to steal and where?
    + In my humble opinion the answer is:

    a) 36 DAYS IS A MONTH AND SIX DAYS = 30+6 = 3+30+3
    b) April + 6 days
    c) June + 6 days
    d) September + 6 days
    e) November + 6 days
    f) 3 days + Month + 3 days

    ... because ... What happens a the beggining and the end of the month?



    -for example: In the accounting department make list of invoices, payments, bills, adresses, calling card numbers, loyalty card numbers, credit card numbers and more numbers... something a thief and forger can use. a thief as DUQU.

    -If DUQU attacks in April can get two lists of two differents months (march-april).

    -If DUQU attacks in April, June, September and november can get 8 lists and avoid strange information usual on Christmas and Summer (December and January - July and August)

    + Duqu hit and run.
    + Minimun work and maximun benefit.

    - I think the U. S. Congress lawyers do not understand the math.

  4. Clarke's point was that Duqu is a US DoD project, and that congressional oversight insisted on limiting global liability. It's clear Duqu (or parts of Duqu) were produced by a system not commercially available. Hence, a government entity. Your 36-day scenario assumes that Duqu will hit 3 days before the end of the month, which is probably not practical. My "gut" tells me there is another reason for the 36-day self-destruct. Yes, 36 is a rather odd number, even for lawyers.


Implementation suggestions for THE MORGAN DOCTRINE are most welcome. What are the "Got'chas!"? What questions would some future Cyber Privateering Czar have to answer about this in a Senate confirmation hearing?