Duqu hackers scrub evidence from command servers, shut down spying op
Delete all files and logs just days after researchers revealed botnet's existence
Computerworld - The hackers behind the Duqu botnet have shut down their snooping operation, a security researcher said today.
The 12 known command-and-control (C&C) servers for Duqu were scrubbed of all files on Oct. 20, 2011, according to Moscow-based Kaspersky Lab.
That was just two days after rival antivirus firm Symantec went public with its analysis of Duqu, a Trojan horse-based botnet that many security experts believe shared common code and characteristics with Stuxnet, the super-sophisticated worm that last year sabotaged Iran's nuclear program.
Duqu was designed, said Symantec and Kaspersky, by advanced hackers, most likely backed by an unknown country's government. Unlike Stuxnet, it was not crafted to wreak havoc on uranium enrichment centrifuges, but to scout out vulnerable installations and computer networks as a lead-in to the development of another worm targeting industrial control systems.
"I think this part of the [Duqu] operation is now closed." said Roel Schouwenberg, a Kaspersky senior researcher, in an emailed reply to questions today. "[But] that's not to say a new/modified operation may be under way."
Earlier Wednesday, another Kaspersky expert posted an update on the company's investigation into Duqu that noted the Oct. 20 hackers' house-cleaning.
According to Kaspersky, each Duqu variant -- and it knows of an even dozen -- used a different compromised server to manage the PCs infected with that specific version of the malware. Those servers were located in Belgium, India, the Netherlands and Vietnam, among other countries.
"The attackers wiped every single server they had used as far back as 2009," Kaspersky said, referring to the Oct. 20 cleaning job.
The hackers not only deleted all their files from those systems, but double-checked afterward that the cleaning had been effective, Kaspersky noted. "Each [C&C server] we've investigated has been scrubbed," said Schouwenberg.
Kaspersky also uncovered clues about Duqu's operation that it has yet to decipher.
The attackers quickly updated each compromised server's version of OpenSSH -- for Open BSD Secure Shell, an open-source toolkit for encrypting Internet traffic -- to a newer edition, replacing the stock 4.3 version with the newer 5.8.
Although there have been reports that OpenSSH contains an unpatched, or "zero-day," vulnerability -- perhaps exploited by the Duqu hackers to hijack legitimate servers for their own use -- Kaspersky eventually rejected that theory, saying it was simply "too scary" to contemplate.
Even so, it was one of two reasons Schouwenberg proposed for the fast update to OpenSSH 5.8.
"The logical assumption here is that we're looking at possibly a vulnerability in the older version and/or an added feature in the new version that's of use to the attacker," said Schouwenberg.
By updating OpenSSH from the possibly-vulnerable OpenSSH 4.3, the Duqu developers may have intended to ensure that other criminals couldn't steal their stolen servers.
Iran, which last year acknowledged some systems, including ones in its nuclear facilities, had been infected with Stuxnet, two weeks ago admitted Duqu had also wiggled its way onto PCs in the country.
Duqu has been traced to attacks in several countries other than Iran, including the Sudan, and may have been under construction since August 2007.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts