Duqu perpetrators wipe command servers of evidence

Share this article:
The identity of those behind Duqu, the so-called "son of Stuxnet," is still a mystery and the perpetrators have taken pains to keep it that way.

On Oct 20, just two days after security firm Symantec first released details about Duqu, the coders behind the information-stealing trojan, which researchers believe shares much of its code with the notorious Stuxnet worm, scrubbed all the files from their command-and-control (C&C) servers in an effort to conceal their identity, according to researchers at anti-virus firm Kaspersky Lab. The C&C servers, used as far back as 2009, were located in India, Vietnam, Germany, the U.K, the Netherlands, Belgium and South Korea, among other countries.

Roel Schouwenberg, senior researcher at Kaspersky Lab, told SCMagazineUS.com in an email Thursday that the attackers' efforts to keep their identity under wraps have undoubtedly made it more difficult for those investigating the threat.

“On an untouched server, we would have been able to find more pieces of the puzzle,” Schouwenberg said. “With an untouched server, I would have expected that we'd find more details on both the operations side, as well as some interesting new files to look at.”

Despite the massive cleanup, researchers have gleaned some information about how the Duqu infrastructure operated. The C&C servers, which likely number more than a dozen, were all hacked machines running CentOS Linux, an open-source operating system, Vitaly Kamluk, Kaspersky Lab expert, said in a blog post Wednesday.

The perpetrators appear to have compromised the command servers by using brute force methods. What security experts believed was the server containing the most details, located in India, was wiped just hours before the hosting company agreed to make an image of it.

“If the image had been made earlier, it's possible that now we'd know a lot more about the inner workings of the network,” Kamluk wrote.

Besides the identity of the Duqu perpetrators, other unknowns remain.

The known compromised servers were never used as the true command infrastructure, according to Kamluk. Instead, they were used as proxies to redirect traffic to the actual “Duqu mothership,” the location of which remains a mystery.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.