Attackers Clean Out Duqu Servers

Monday, December 5, 2011 @ 07:12 PM gHale

Hackers behind the Duqu botnet shut down their snooping operation, a security researcher said.

All files on the 12 known command-and-control (C&C) servers for Duqu are gone, according to Moscow-based Kaspersky Lab.

RELATED STORIES
Duqu and Rumors of War
A New and Frightening Stuxnet
Stuxnet: A Chief Executive Plan
U.S. to Israel: Don’t Hit Iran Nuclear Sites Alone
Iran Creating Counter to Stuxnet
Stuxnet Report IV: Worm Slithers In
Stuxnet Report V: Security Culture Needs Work

That was just two days after antivirus firm Symantec went public with its analysis of Duqu, a Trojan horse-based botnet that many security experts believe shared common code and characteristics with Stuxnet, the super-sophisticated worm that last year sabotaged Iran’s nuclear program.

ISSSource reported in November American and Israeli officials are heading a team effort to perfect the new Stuxnet worm, called Duqu, that may be able to bring down Iran’s entire software networks if the Iranian regime gets too close to breakout, U.S. intelligence sources said.

“Stuxnet has not become useless in the least,” said a serving U.S. intelligence official. “It has all sorts of untapped potential.”

Another intelligence official said, “The cyber warfare potential of Stuxnet has by no means been exhausted. It hasn’t demonstrated the full damage it could cause if deployed.”

According to U.S. sources that refused to be named, Duqu software code shares features of the Stuxnet worm that caused such damage to Tehran’s nuclear program. Duqu has two parts, the first of which does reconnaissance of the target, assessing vulnerabilities, and the next is delivery. In the case of Stuxnet, the United States developed the “payload” for the virus, while Israel used much less sophisticated software to deliver the worm to Iranian machines.

The design of Duqu came from advanced hackers, most likely backed by an unknown country’s government, said Symantec and Kaspersky. Unlike Stuxnet, it’s mission was to scout out vulnerable installations and computer networks as a lead-in to the development of another worm targeting industrial control systems.

“I think this part of the [Duqu] operation is now closed.” said Roel Schouwenberg, a Kaspersky senior researcher. “[But] that’s not to say a new/modified operation may be under way.”

Earlier Wednesday, another Kaspersky expert posted an update on the company’s investigation into Duqu that noted the Oct. 20 hackers’ house-cleaning.

All 12 of the Duqu variants used a different compromised server to manage the PCs infected with that specific version of the malware, Kaspersky researchers said. Those servers were in Belgium, India, the Netherlands and Vietnam, among other countries.

The attackers wiped every single server they had used as far back as 2009, Kaspersky researchers said, referring to the Oct. 20 cleaning job.

The hackers not only deleted all their files from those systems, but double-checked afterward the cleaning had been effective, Kaspersky researchers said. “Each [C&C server] we’ve investigated has been scrubbed,” Schouwenberg said.

Kaspersky also uncovered clues about Duqu’s operation it has yet to decipher.

The attackers updated each compromised server’s version of OpenSSH — for Open BSD Secure Shell, an open-source toolkit for encrypting Internet traffic — to a newer edition, replacing the stock 4.3 version with the newer 5.8.

Although there have been reports that OpenSSH contains an unpatched, or “zero-day,” vulnerability, Kaspersky eventually rejected that theory, saying it was simply “too scary” to contemplate.

Even so, it was one of two reasons Schouwenberg proposed for the fast update to OpenSSH 5.8.

“The logical assumption here is that we’re looking at possibly a vulnerability in the older version and/or an added feature in the new version that’s of use to the attacker,” said Schouwenberg.

By updating OpenSSH from the possibly-vulnerable OpenSSH 4.3, the Duqu developers may have intended to ensure that other criminals couldn’t steal their stolen servers.

Iran, which last year acknowledged some systems, including ones in its nuclear facilities, suffered infection from Stuxnet, two weeks ago admitted Duqu had also got its way onto PCs in the country.

Duqu has conducted attacks in several countries other than Iran, including the Sudan, and may have been under construction since August 2007.