ID: IRCNE2011121330
Date: 2011-12-03
According to “TechWorld”, the hackers behind the Duqu botnet have shut down their snooping operation, a security researcher said today. The 12 known command-and-control (C&C) servers for Duqu were scrubbed of all files on 20 October, 2011, according to Moscow-based Kaspersky Lab.
That was just two days after rival antivirus firm Symantec went public with its analysis of Duqu, a Trojan horse-based botnet that many security experts believe shared common code and characteristics with Stuxnet.
Unlike Stuxnet, Duqu was not crafted to wreak havoc, but to scout out vulnerable installations and computer networks as a lead-in to the development of another worm targeting industrial control systems.
"I think this part of the [Duqu] operation is now closed." said Roel Schouwenberg, a Kaspersky senior researcher. "[But] that's not to say a new/modified operation may be under way."
According to Kaspersky, each Duqu variant used a different compromised server to manage the PCs infected with that specific version of the malware. Those servers were located in Belgium, India, the Netherlands and Vietnam, among other countries.
"The attackers wiped every single server they had used as far back as 2009," Kaspersky said, referring to the aforementioned cleaning job.
The hackers not only deleted all their files from those systems, but double-checked afterward that the cleaning had been effective, Kaspersky noted. "Each [C&C server] we've investigated has been scrubbed," said Schouwenberg.
The attackers quickly updated each compromised server's version of OpenSSH to a newer edition, replacing the stock 4.3 version with the newer 5.8.
Although there have been reports that OpenSSH contains an unpatched, or "zero-day," vulnerability - perhaps exploited by the Duqu hackers to hijack legitimate servers for their own use - Kaspersky eventually rejected that theory, saying it was simply "too scary" to contemplate.
Related Links:
Duqu, very sophisticated
- 3