Duqu perpetrators wipe command servers of evidence

Share this article:
The identity of those behind Duqu, the so-called "son of Stuxnet," is still a mystery and the perpetrators have taken pains to keep it that way.

On Oct 20, just two days after security firm Symantec first released details about Duqu, the coders behind the information-stealing trojan, which researchers believe shares much of its code with the notorious Stuxnet worm, scrubbed all the files from their command-and-control (C&C) servers in an effort to conceal their identity, according to researchers at anti-virus firm Kaspersky Lab. The C&C servers, used as far back as 2009, were located in India, Vietnam, Germany, the U.K, the Netherlands, Belgium and South Korea, among other countries.

Roel Schouwenberg, senior researcher at Kaspersky Lab, told SCMagazineUS.com in an email Thursday that the attackers' efforts to keep their identity under wraps have undoubtedly made it more difficult for those investigating the threat.

“On an untouched server, we would have been able to find more pieces of the puzzle,” Schouwenberg said. “With an untouched server, I would have expected that we'd find more details on both the operations side, as well as some interesting new files to look at.”

Despite the massive cleanup, researchers have gleaned some information about how the Duqu infrastructure operated. The C&C servers, which likely number more than a dozen, were all hacked machines running CentOS Linux, an open-source operating system, Vitaly Kamluk, Kaspersky Lab expert, said in a blog post Wednesday.

The perpetrators appear to have compromised the command servers by using brute force methods. What security experts believed was the server containing the most details, located in India, was wiped just hours before the hosting company agreed to make an image of it.

“If the image had been made earlier, it's possible that now we'd know a lot more about the inner workings of the network,” Kamluk wrote.

Besides the identity of the Duqu perpetrators, other unknowns remain.

The known compromised servers were never used as the true command infrastructure, according to Kamluk. Instead, they were used as proxies to redirect traffic to the actual “Duqu mothership,” the location of which remains a mystery.

Share this article:

Sign up to our newsletters

More in News

Health care breaches continue to rise, over 30M affected

As breaches hitting the health care industry continue to ramp up, more than 30 million individuals have been affected by these incidents thus far.

'Backoff' malware compromises POS devices in New Orleans restaurant

Anyone that used a credit or debit card at Mizado Cocina between May 9 and July 18 may have had their data compromised.

FBI begins investigation into 1.2 billion stolen credentials

A couple weeks after Hold Security's initial discovery of the stolen logins, the Federal Bureau of Investigation is conducting its own review.