Duqu attackers wiped Linux C&C servers

The Duqu malware has been creating havoc in the industrial sector across the world. The Indian officials had shut down a server linked to Duqu in Mumbai, which was later taken under the hood for further investigation. The malicious was also fixed temporarily by Microsoft. The researchers from Kaspersky Lab who have been studying the Command and Control infrastructure by Duqu, have now revealed in  a report that these attackers have made some critical mistakes with an attempt to clear evidence.

Kaspersky report (Image Credit: Securelist)

The researchers showed that DuQu C&C servers were operated since November 2009. Most of the hacked machines were running on CentOS Linux. The attackers updated OpenSSH 4.3 to version 5 after gaining control each time. The report says, “Unfortunately, the most interesting server, the C&C proxy in India, was cleaned only hours before the hosting company agreed to make an image. If the image had been made earlier, it’s possible that now we’d know a lot more about the inner workings of the network.”

According to the report, attackers took up a global cleanup operation on the various several Linux servers, which were used to control systems infected with DuQu on October 20. This was attempted on systems running on CentOS 5.x, just two days after the Duqu was compared publicly with Stuxnet. It is speculated that the operators were trying to cover their tracks. This was possibly done in a hurry, which led to the attackers making a critical mistake, as servers in Vietnam and Germany have partial logs of the hackers’ SSH.

The sshd.log files displayed that the attackers had logged into a Vietnam-based machine in July and in October, while they logged into a Germany-based system in as early as November 23, 2009. The servers were proxies which were designed to cover up attackers’ location. The real Duqu mothership C&C server and of course the identity of attackers isn’t disclosed yet.