Shortly after Symantec publicised the Duqu Trojan in October, the unknown perpetrators behind the data-gathering malware removed traces of their activity from all their command and control servers to cover their tracks, Kaspersky Lab researchers have discovered.
Despite the “massive cleanup”, Kaspersky researchers were still able to gather information on Duqu’s command and control (C&C) infrastructure, Vitaly Kamluk, chief malware analyst at Kaspersky Lab, wrote on the company’s SecureList blog.
Along with the command and control servers in India and Belgium, which have since been shut down by law enforcement authorities, Duqu communicated with other servers in Vietnam and the Netherlands, said Kamluk.
A day later, on 20 October, the attackers “wiped” every single server they had used over the past three years in India, Vietnam, Germany, the United Kingdom, Singapore, Switzerland, the Netherlands and South Korea, to name a few. Unfortunately, the “most interesting server” in India was cleaned “hours before” the hosting company agreed to make an image for researchers to analyse, Kamluk said.
“We still do not know who is behind Duqu and Stuxnet,” Kamluk said, adding that “attackers have covered their tracks quite effectively”. The main “mothership” server also remains a mystery, he said.
Many of the servers that had been hacked to become part of Duqu’s infrastructure were running Linux, namely CentOS 5.2, 5.4 or 5.5, a community version very similar to Red Hat Enterprise Linux. Both 32-bit and 64-bit machines had been compromised, according to Kmaluk. It was not clear whether it was “just a coincidence” or if the attackers preferred CentOS 5.x.
Kaspersky researchers spent quite some time trying to figure out how the servers were compromised. The servers were running OpenSSH 4.3, which comes by default on CentOS and as soon as the attackers got in, updated the software to version 5.8.
While this suggests that the attackers were closing a hole once in the server to prevent anyone else from coming in, and there have been reports of a possible zero-day vulnerability in the client software used to access servers, Kaspersky researchers could not say so definitely. This would not be the first zero-day exploit being used by Duqu, as researchers have already uncovered one targeting the Microsoft Windows kernel.
“There must be a good reason why the attackers are so concerned about updating OpenSSH 4.3 to version 5. Unfortunately, we do not know the answer to this question,” Kamluk wrote, and asked Linux administrators and OpenSSH experts for suggestions.
Even though there was a possibility of a zero-day, the researchers thought it was more likely that the servers’ root passwords were brute-forced, based on a log of a user attempting to log in as root multiple times over an eight-minute period from an IP address in Singapore before finally succeeding.
Thoma Bravo agrees to acquire Darktrace for $5.32 billion in cash, delivering some welcome news…
Customer adoption of AI services embedded in cloud services continues to deliver results for Microsoft,…
TikTok's 'secret source' algorithm is so core to ByteDance, it would rather shut down US…
After relocating from California to Texas in 2020, Oracle's Larry Ellison now reveals plan to…
Share price hit after Meta admits heavy AI spending plans, after posting strong first quarter…
For third time Google delays phase-out of third-party Chrome cookies after pushback from industry and…