Researchers have known for years that virus writers and attackers pay close attention to the analyses researchers do of their work, and it appears that the Duqu authors are no exception. Shortly after the first public reports about Duqu emerged in early autumn, the crew behind Duqu wiped out all of the command-and-control servers that had been in use up to that point, including some that had been used since 2009.
An in-depth analysis of the known C&C servers used in the Duqu attacks has found that some of the servers were compromised as far back as 2009, and that the attackers clearly targeted Linux machines. All of the known Duqu C&C servers discovered up to this point have been running CentOS, with some being 32-bit systems and others 64-bit. The servers that the Duqu attackers have been using in their operations have not been confined to any one region or country, but instead have been located in a variety of countries, including Vietnam, Germany, Switzerland, the Netherlands and India.
The new analysis, done by researchers at Kaspersky Lab based on known C&C servers in Vietnam and Germany, found that the most likely scenario for the compromise of the C&C servers is through a brute-force password attack. However, the researchers also found some evidence on the servers that they analyzed that could indicate that the attackers were using a zero-day vulnerability in a specific OpenSSH package to compromise the servers. Immediately upon compromising a new server, the attackers would update the existing OpenSSH installation from 4.3 to version 5.8. It was among the first tasks that the attackers carried out on each new server, in fact.
The researchers found some forum posts from 2009 discussing a possible zero-day flaw being used against OpenSSH 4.3 in active attacks. But the most likely attack scenario seems to be the password bruteforcing.
“Could this be the case here? Knowing the Duqu guys and their never-ending bag of 0-day exploits, does it mean they also have a Linux 0-day against OpenSSH 4.3? Unfortunately, we do not know. If we look at the ‘sshd.log’ from 18 November 2009, we can, however, get some interesting clues. The ‘root’ user attempts to log in using a password multiple times from an IP in Singapore, until they finally succeed,” Vitaly Kamluk, a malware expert at Kaspersky Lab, wrote in a new analysis of the Duqu C&C infrastructure.
“Note how the ‘root’ user tries to login at 15:21:11, fails a couple of times and then 8 minutes and 42 seconds later the login succeeds. This is more of an indication of a password bruteforcing rather a 0-day. So the most likely answer is that the root password was bruteforced. Nevertheless, the third question remains: Why did the attackers replace the stock OpenSSH 4.3 with version 5.8?”
The first public discussions of the Duqu attacks surfaced in mid-October when Symantec published a report. However, researchers at Kaspersky and other companies had gotten private reports about it in September. But within a couple of days of the public reports of Duqu, the attackers began systematically cleaning all of the C&C servers that they’d been using.In one case, researchers missed getting an image of a still-active C&C server by just a few hours.
“A global cleanup operation took place on 20 October 2011. The attackers wiped every single server which was used even in the distant past, e.g. 2009. Unfortunately, the most interesting server, the C&C proxy in India, was cleaned only hours before the hosting company agreed to make an image. If the image had been made earlier, it’s possible that now we’d know a lot more about the inner workings of the network,” Kamluk wrote.
Despite the advances in analyzing the known C&C machines, the researchers still haven’t been able to identify the one server that’s being used to control all of the subordinate C&Cs. They have grown more and more confident, however, in recent weeks that whoever wrote Duqu likely also was involved in the development of Stuxnet.