Duqu authors leave logs on servers after clean-up

Kerry Butters

December 1, 2011

Researchers at Kaspersky Labs have examined servers used by the authors of the Duqu trojan, after the attackers went on a clean-up mission last month to cover their tracks.

The study found that command and control (C&C) servers used by Duqu over the past three years number more than a dozen.

Kaspersky also say that they have so far found and catalogued more than 12 variants of the malware.

The security experts say that many of the servers were used to cover the attacker’s tracks and others as part of the C&C infrastructure.

It’s still not known who the authors of Duqu are and the clean-up of the C&C servers came just after it was reported that the code in the trojan is strikingly similar to that used in the Stuxnet worm.

The researchers at Kaspersky say that the attackers wiped every server they had used since 2009 and “covered their tracks quite effectively”, but left enough information behind in order for security experts to analyse and “shed some light on how the C&C network worked.”

It seems the malware authors used Linux servers running CentOS versions 5.4, 5.5 and 5.2. However, they didn’t seem to be completely au fait with how the systems worked and slipped up, leaving log files behind.

The attackers knew enough to clean up certain parts of the root folder, they were pretty thorough about this and researchers found that although it’s sometimes possible to recover deleted files on Linux servers, they were unable to this time.

However, by performing a scan of the unused space on one partition, they were able to find a part of the sshd.log file.

This was possible because “Linux constantly reallocates commonly used files to reduce fragmentation.”

It was found that the attacker “logged in twice from the same IP address on 19 July and 20 October” this year and the timestamps in the root folder indicated that the latter login was the person who was responsible for the clean-up.

The July login showed that the attacker had installed a newer version of OpenSSH and then checked back a few days later to make sure everything was ok.

Although the logs showed when the attackers had logged in and made changes however, there was no indication how they gained access, what the server was used for and why they felt the need to update OpenSSH.

On one of the servers examined, it was also found that the hackers attempted to use ports 80 and 443, probably to redirect traffic to the main C&C server but as the ports were busy, this generated an error file instead, which was left behind.

Overall, the researchers found that Duqu C&C servers have been operational since November 2009 and that the attackers gained access to the hacked servers by bruteforcing the root password.

According to a reply to Kaspersky’s blog post, this represents a serious error on the part of system administrators in charge of the servers.

It was also found that on all servers the attackers gained access to, they felt a “burning desire to update OpenSSH” as soon as they were in.

This could have been done to ensure that others couldn’t then access the servers in the same way, thus protecting the attackers from a similar attack from a third party.

Whilst the logs left behind have helped researchers to gain some understanding on how the Duqu C&C infrastructure works, they are still completely in the dark as to who the attackers are, or where they are located.

In fact the research raises as many questions as it does give answers, such as why the attackers were so keen to launch a massive clean-up operation when the link to Stuxnet was published.


Post a comment

Your email address will not be published. Required fields are marked *

Visited 2319 times, 1 so far today