Threat Management, Malware, Security Strategy, Plan, Budget

Duqu perpetrators wipe command servers of evidence

The identity of those behind Duqu, the so-called "son of Stuxnet," is still a mystery and the perpetrators have taken pains to keep it that way.

On Oct 20, just two days after security firm Symantec first released details about Duqu, the coders behind the information-stealing trojan, which researchers believe shares much of its code with the notorious Stuxnet worm, scrubbed all the files from their command-and-control (C&C) servers in an effort to conceal their identity, according to researchers at anti-virus firm Kaspersky Lab. The C&C servers, used as far back as 2009, were located in India, Vietnam, Germany, the U.K, the Netherlands, Belgium and South Korea, among other countries.

Roel Schouwenberg, senior researcher at Kaspersky Lab, told in an email Thursday that the attackers' efforts to keep their identity under wraps have undoubtedly made it more difficult for those investigating the threat.

“On an untouched server, we would have been able to find more pieces of the puzzle,” Schouwenberg said. “With an untouched server, I would have expected that we'd find more details on both the operations side, as well as some interesting new files to look at.”

Despite the massive cleanup, researchers have gleaned some information about how the Duqu infrastructure operated. The C&C servers, which likely number more than a dozen, were all hacked machines running CentOS Linux, an open-source operating system, Vitaly Kamluk, Kaspersky Lab expert, said in a blog post Wednesday.

The perpetrators appear to have compromised the command servers by using brute force methods. What security experts believed was the server containing the most details, located in India, was wiped just hours before the hosting company agreed to make an image of it.

“If the image had been made earlier, it's possible that now we'd know a lot more about the inner workings of the network,” Kamluk wrote.

Besides the identity of the Duqu perpetrators, other unknowns remain.

The known compromised servers were never used as the true command infrastructure, according to Kamluk. Instead, they were used as proxies to redirect traffic to the actual “Duqu mothership,” the location of which remains a mystery.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.