In an ongoing analysis of the Duqu Trojan, Kaspersky Lab researchers found that attackers had compromised CentOS Linux servers for their command-and-control infrastructure.
publicized the Duqu Trojan
in October, the unknown perpetrators behind the
data-gathering malware removed traces of their activity from all their command
and control servers to cover their tracks, Kaspersky Lab researchers have
the "massive cleanup," Kaspersky researchers were still able to
gather information on Duqu's C&C infrastructure, Vitaly Kamluk, chief
malware analyst at Kaspersky Lab, wrote on the company's SecureList blog. Along
with the command and control servers in India and Belgium, which have since
down by law enforcement authorities
, Duqu communicated with other servers
in Vietnam and the Netherlands, said Kamluk.
servers were used as main C&C proxies, and some were used by attackers to
bounce from one location to another to make it difficult for authorities to
track the malicious traffic. Kaspersky Lab estimated "more than a
dozen" C&C active servers for the Duqu Trojan dating as far back as
2009, Kamluk wrote.
day later, on Oct. 20, the attackers "wiped" every single server they
had used over
the past three years
in India, Vietnam, Germany, the United Kingdom,
Singapore, Switzerland, the Netherlands and South Korea, to name a few.
Unfortunately, the "most interesting server" in India was cleaned
"hours before" the hosting company agreed to make an image for
researchers to analyze, Kamluk said.
still do not know who is behind Duqu and Stuxnet," Kamluk said, adding
that "attackers have covered their tracks quite effectively." The "mothership"
server also remains a mystery, he said.
of the servers that had been hacked to become part of Duqu's infrastructure
were running Linux, namely CentOS 5.2, 5.4 or 5.5, a community version very
similar to Red Hat Enterprise Linux. Both 32-bit and 64-bit machines had been
compromised, according to Kamluk. It is not clear whether it was "just a coincidence"
or if the attackers preferred CentOS 5.x.
researchers spent quite some time trying to figure out how the servers were
compromised. The servers were running OpenSSH 4.3, which comes by default on
CentOS, and as soon as the attackers got in, they updated the software to
this suggests that the attackers were closing a hole once in the server to
prevent anyone else from coming in, and there have been reports of a possible
zero-day vulnerability in the client software used to access servers, Kaspersky
researchers could not say so definitely. This wouldn't be the first zero-day
exploit being used by Duqu, as researchers have already uncovered one targeting
the Microsoft Windows kernel
must be a good reason why the attackers are so concerned about updating OpenSSH
4.3 to version 5. Unfortunately, we do not know the answer to this
question," Kamluk wrote, and asked Linux administrators and OpenSSH
experts for suggestions.
though there was a possibility of a zero-day, the researchers thought it was
more likely that the servers' root passwords were brute-forced, based on a log
of a user attempting to log in as root multiple times over an 8-minute period
from an IP address in Singapore before finally succeeding.