Security researchers conducting extensive forensics on the command-and-control server network connected to the Duqu Trojan have found the cybercriminals behind the malware were careful to cover their tracks.
We still do not know who is behind Duqu and Stuxnet. Although we have analyzed some of the servers, the attackers have covered their tracks quite effectively.
Vitaly Kamluk, Kaspersky Lab
A global cleanup operation took place on Oct. 20, just two days after a report outlined Duqu and its similarities to the Stuxnet worm, said Vitaly Kamluk, a malware expert at Kaspersky Lab. In a detailed report of the analysis conducted by Kaspersky researchers, Kamluk said his team found more than a dozen command-and-control servers operating during the past three years. So far, the researchers have identified more than a dozen different Duqu varients, Kamluk said.
“We still do not know who is behind Duqu and Stuxnet,” Kamluk wrote Wednesday in a blog post outlining the latest Duqu analysis. “Although we have analyzed some of the servers, the attackers have covered their tracks quite effectively.”
The Kaspersky researchers found evidence that supports the theory that those behind Duqu were well-funded and had the technical expertise necessary to target specific companies, covertly obtain specific data and then cover their tracks, leaving few clues for forensics investigators. Duqu shared some of the same source code as Stuxnet, the notorious worm designed to disrupt specific SCADA system processes. Some security experts believe the Duqu Trojan was designed to gather intelligence needed for a more serious attack against supervisory control and data acquisition (SCADA) systems.
According to the Kaspersky Lab analysis, the original Duqu malware samples were traced back to a command-and-control server in India, which was remotely wiped just hours before the hosting company made an image for investigators. The server in India was also connected to a server in Belgium as well as servers in Vietnam and the Netherlands. Other servers were identified in Germany, Singapore, Switzerland, the UK and South Korea.
The servers were running CentOS Linux and were hacked by brute forcing the root password, Kamluk said. “The attackers have a burning desire to update OpenSSH 4.3 to version 5 as soon as they get control of a hacked server,” he wrote. The researchers surmised that the server was in Vietnam and was used to control certain Duqu variants found in Iran.
Despite the deep analysis, researchers could not determine which server was the base for all of the infections. The researchers also could not corroborate a theory that the attackers used a zero-day vulnerability against OpenSSH 4.3 on CentOS.
“Many other servers were used as part of the infrastructure, some of them used as main C&C proxies while others were used by the attackers to jump around the world and make tracing more difficult,” Kamluk wrote. “The attackers wiped every single server they had used as far back as 2009 – in India, Vietnam, Germany, the UK and so on.”