Security researchers conducting extensive forensics on the command-and-control server networkconnected to the Duqu Trojanhave found the cybercriminals behind the malware were careful to cover their tracks.
We still do not know who isbehind Duqu and Stuxnet. Although we have analyzed some of the servers, the attackers have coveredtheir tracks quite effectively.Vitaly Kamluk, Kaspersky Lab
A global cleanup operation took place on Oct. 20, just two days after a reportoutlined Duqu and its similarities to the Stuxnet worm, said Vitaly Kamluk, a malware expert atKaspersky Lab. In a detailed report of the analysis conducted by Kaspersky researchers, Kamluk saidhis team found more than a dozen command-and-control servers operating during the past three years.So far, the researchers have identified more than a dozen different Duqu varients, Kamluksaid.
We still do not know who is behind Duqu and Stuxnet, Kamluk wrote Wednesday in a blog postoutlining the latest Duquanalysis. Although we have analyzed some of the servers, the attackers have covered theirtracks quite effectively.
The Kaspersky researchers found evidence that supports the theory that those behind Duqu werewell-funded and had the technical expertise necessary to target specific companies, covertly obtainspecific data and then cover their tracks, leaving few clues for forensics investigators. Duqushared some of the same source code as Stuxnet, the notorious wormdesigned to disrupt specific SCADA system processes. Some security experts believe the Duqu Trojanwas designed to gather intelligence needed for a more serious attack against supervisory controland data acquisition (SCADA) systems.
According to the Kaspersky Lab analysis, the original Duqu malware samples were traced back to acommand-and-control server in India, which was remotely wiped just hours before the hosting companymade an image for investigators. The server in India was also connected to a server in Belgium aswell as servers in Vietnam and the Netherlands. Other servers were identified in Germany,Singapore, Switzerland, the UK and South Korea.
The servers were running CentOS Linux and were hacked by brute forcing the root password, Kamluksaid. The attackers have a burning desire to update OpenSSH 4.3 to version 5 as soon as they getcontrol of a hacked server, he wrote. The researchers surmised that the server was in Vietnam andwas used to control certain Duqu variants found in Iran.
Despite the deep analysis, researchers could not determine which server was the base for all ofthe infections. The researchers also could not corroborate a theory that the attackers used azero-day vulnerability against OpenSSH 4.3 on CentOS.
Many other servers were used as part of the infrastructure, some of them used as main C&Cproxies while others were used by the attackers to jump around the world and make tracing moredifficult, Kamluk wrote. The attackers wiped every single server they had used as far back as2009 in India, Vietnam, Germany, the UK and so on.
0 comments:
Post a Comment