Full Disclosure mailing list archives
Re: The Mystery of the Duqu Framework
From: Alberto Fabiano <alberto () computer org>
Date: Sat, 10 Mar 2012 17:17:49 -0300
Well, I'm suspecting that O'Caml is compiled with ocamlc, will analyze a bit to confirm my suspicion. []s On Sat, Mar 10, 2012 at 16:16, Laurelai <laurelai () oneechan org> wrote:
On 3/10/2012 9:00 AM, 夜神 岩男 wrote:On 03/10/2012 03:51 AM, fd () deserted net wrote:http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share.From the description, it looks like someone pushed some code from a Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by GCL, for example, before compilation) into a C++ DLL. Normal in the deper end of Linux dev or Hurd communities, but definitely not standard practice in any established industry that makes use of Windows. I could be wrong, I didn't take the time to walk myself through the decompile with any thoroughness and compare it to code I generate. Anyway, I have no idea the differences between how VC++ and g++ do things -- so my analysis would probably be trash. But from the way the Mr. Soumenkov describes things it seems this, or something similar, could be the case and why the code doesn't conform to what's expected in a C++ binary. -IY 1. [Caveat] I say "Lisp" but some other languages come to mind as well; maybe Haskell would come out that way. I'm not sure because I'm most familiar with Lisp and know it can be cobbled with C/C++ without complications because of the way most of its C-based implementations work. Anyway, if I were looking for a lock on how this code was produced, I would ignore C-based languages and focus instead on languages that behave this way natively first, because I think that's the least exotic explanation for the features this segment of code exhibits. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/Lisp? Are you serious? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Alberto Fabiano C. de Medeiros alberto () computer org PGP Key ID: 232D3D06 - .... . -... . ... - .-- .- -.-- - --- .--. .-. . -.. .. -.-. -- .... . ..-. ..- - ..- .-. . .. ... - -- .. -. ...- . -. - .. - .- .-.. .- -. -.- .- -.-- k'bɪt Y> "The best way to predict the future is to invent it." --Alan Kay k'bɪt X> "Chance favors the prepared mind." --Louis Pasteur k'bɪt Z> "The world is full of fascinating problems waiting to be solved" --Eric S.Raymond _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- The Mystery of the Duqu Framework fd (Mar 10)
- Re: The Mystery of the Duqu Framework Sanguinarious Rose (Mar 10)
- Re: The Mystery of the Duqu Framework Laurelai (Mar 10)
- Re: The Mystery of the Duqu Framework Sanguinarious Rose (Mar 10)
- Re: The Mystery of the Duqu Framework Laurelai (Mar 10)
- Re: The Mystery of the Duqu Framework Sanguinarious Rose (Mar 10)
- Re: The Mystery of the Duqu Framework Laurelai (Mar 10)
- Re: The Mystery of the Duqu Framework Laurelai (Mar 10)
- Re: The Mystery of the Duqu Framework Sanguinarious Rose (Mar 10)
- Re: The Mystery of the Duqu Framework Laurelai (Mar 10)
- Re: The Mystery of the Duqu Framework Alberto Fabiano (Mar 11)
- Re: The Mystery of the Duqu Framework William Pitcock (Mar 10)
- Re: The Mystery of the Duqu Framework Laurelai (Mar 10)
- Re: The Mystery of the Duqu Framework Sanguinarious Rose (Mar 19)
- Re: The Mystery of the Duqu Framework Mario Vilas (Mar 19)
- Re: The Mystery of the Duqu Framework Valdis . Kletnieks (Mar 19)
- Re: The Mystery of the Duqu Framework Andrew King (Mar 19)