Duqu perpetrators wipe command servers of evidence

Share this article:
The identity of those behind Duqu, the so-called "son of Stuxnet," is still a mystery and the perpetrators have taken pains to keep it that way.

On Oct 20, just two days after security firm Symantec first released details about Duqu, the coders behind the information-stealing trojan, which researchers believe shares much of its code with the notorious Stuxnet worm, scrubbed all the files from their command-and-control (C&C) servers in an effort to conceal their identity, according to researchers at anti-virus firm Kaspersky Lab. The C&C servers, used as far back as 2009, were located in India, Vietnam, Germany, the U.K, the Netherlands, Belgium and South Korea, among other countries.

Roel Schouwenberg, senior researcher at Kaspersky Lab, told SCMagazineUS.com in an email Thursday that the attackers' efforts to keep their identity under wraps have undoubtedly made it more difficult for those investigating the threat.

“On an untouched server, we would have been able to find more pieces of the puzzle,” Schouwenberg said. “With an untouched server, I would have expected that we'd find more details on both the operations side, as well as some interesting new files to look at.”

Despite the massive cleanup, researchers have gleaned some information about how the Duqu infrastructure operated. The C&C servers, which likely number more than a dozen, were all hacked machines running CentOS Linux, an open-source operating system, Vitaly Kamluk, Kaspersky Lab expert, said in a blog post Wednesday.

The perpetrators appear to have compromised the command servers by using brute force methods. What security experts believed was the server containing the most details, located in India, was wiped just hours before the hosting company agreed to make an image of it.

“If the image had been made earlier, it's possible that now we'd know a lot more about the inner workings of the network,” Kamluk wrote.

Besides the identity of the Duqu perpetrators, other unknowns remain.

The known compromised servers were never used as the true command infrastructure, according to Kamluk. Instead, they were used as proxies to redirect traffic to the actual “Duqu mothership,” the location of which remains a mystery.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.