Duqu Attackers Wiped Traces Off Linux C&C Servers

Shortly after Symantec publicised the Duqu Trojan in October, the unknown perpetrators behind the data-gathering malware removed traces of their activity from all their command and control servers to cover their tracks, Kaspersky Lab researchers have discovered.

Despite the “massive cleanup”, Kaspersky researchers were still able to gather information on Duqu’s command and control (C&C) infrastructure, Vitaly Kamluk, chief malware analyst at Kaspersky Lab, wrote on the company’s SecureList blog.

Removing fingerprints

Along with the command and control servers in India and Belgium, which have since been shut down by law enforcement authorities, Duqu communicated with other servers in Vietnam and the Netherlands, said Kamluk.

Other servers were used as main C&C proxies and some were used by attackers to bounce from one location to another to make it difficult for authorities to track the malicious traffic. Kaspersky Lab estimated “more than a dozen” C&C active servers for the Duqu Trojan dating as far back as 2009, Kamluk wrote.

A day later, on 20 October, the attackers “wiped” every single server they had used over the past three years in India, Vietnam, Germany, the United Kingdom, Singapore, Switzerland, the Netherlands and South Korea, to name a few. Unfortunately, the “most interesting server” in India was cleaned “hours before” the hosting company agreed to make an image for researchers to analyse, Kamluk said.

“We still do not know who is behind Duqu and Stuxnet,” Kamluk said, adding that “attackers have covered their tracks quite effectively”. The main “mothership” server also remains a mystery, he said.

Many of the servers that had been hacked to become part of Duqu’s infrastructure were running Linux, namely CentOS 5.2, 5.4 or 5.5, a community version very similar to Red Hat Enterprise Linux. Both 32-bit and 64-bit machines had been compromised, according to Kmaluk. It was not clear whether it was “just a coincidence” or if the attackers preferred CentOS 5.x.

Kaspersky researchers spent quite some time trying to figure out how the servers were compromised. The servers were running OpenSSH 4.3, which comes by default on CentOS and as soon as the attackers got in, updated the software to version 5.8.

While this suggests that the attackers were closing a hole once in the server to prevent anyone else from coming in, and there have been reports of a possible zero-day vulnerability in the client software used to access servers, Kaspersky researchers could not say so definitely. This would not be the first zero-day exploit being used by Duqu, as researchers have already uncovered one targeting the Microsoft Windows kernel.

“There must be a good reason why the attackers are so concerned about updating OpenSSH 4.3 to version 5. Unfortunately, we do not know the answer to this question,” Kamluk wrote, and asked Linux administrators and OpenSSH experts for suggestions.

Even though there was a possibility of a zero-day, the researchers thought it was more likely that the servers’ root passwords were brute-forced, based on a log of a user attempting to log in as root multiple times over an eight-minute period from an IP address in Singapore before finally succeeding.