Feeds

Duqu attackers: master coders, Linux rookies

Amateur goofs doom global wipe of C&C servers

Reducing security risks from open source software

The Duqu malware that targeted industrial manufacturers around the world may have been spawned by a well-funded team of competent coders, but their command of Linux led to some highly amateur mistakes.

According to a report published on Wednesday by researchers from Kaspersky Lab, the unknown attackers attempted a global cleanup on a dozen or more hacked Linux servers they used to control systems infected with Duqu. The mass purge on machines running CentOS 5.x came on October 20, two days after researchers publicly compared Duqu to the Stuxnet worm that sabotaged Iran's nuclear program. Speculation is the operators were trying to cover their tracks.

In their haste, the attackers appear to have made some critical mistakes. Servers in Vietnam and Germany contained partial logs of the hackers' SSH and bash sessions that remained on the / partition.

“This was kind of unexpected and it is an excellent lesson about Linux and the ext3 file system internals,” Kaspersky researcher Vitaly Kamluk wrote. “Deleting a file doesn't mean there are no traces or parts, sometimes from the past. The reason for this is that Linux constantly reallocates commonly used files to reduce fragmentation.”

The sshd.log files show the attackers logging into the Vietnam-based machine in July and in October just prior to mass purge. The Germany-based system also showed evidence of being accessed on November 23, 2009 and the user receiving error messages indicating that attempts to redirect traffic on ports 80 and 443 had failed. The breadcrumbs may have been few, but they were enough to show that the servers weren't true command and control channels, but rather proxies designed to conceal the attackers' true origin.

Using similar techniques, the Kaspersky researchers unearthed evidence that every hacked server had its OpenSSH 4.3 application upgraded to version 5.8. A recovered bash history on the machine in Germany also showed the attackers needed refreshers in basic Linux administration. At one point, they referenced the sshd_config manual, and at another juncture, they needed to check documentation for the Linux ftp client. They also botched the command line syntax for the Linux iptables.

The attackers also left behind traces of changes they made to the sshd-config file. One of them speeds up port directions over tunnels, which is simple enough change to understand. The other enabled Kerberos authentication. The Kaspersky researchers still aren't sure what the motive is for the latter modification.

So far, the researchers say, they've analyzed only a fraction of compromised servers, which among other places, were located in Singapore, Switzerland, the UK, the Netherlands, Belgium, and South Korea. It will be interesting to see what evidence they're able to exhume from additional machines. In the meantime they're hoping Linux admins can help them ponder a few questions, including:

  • Why the preoccupation with updating OpenSSH 4.3 to version 5.8 as soon as a machine had been commandeered?

and

  • Is there any relationship between the updates and the modification to “GSSAPIAuthentication yes” made to the sshd-config file?

“We hope that through cooperation and working together we can cast more light on this huge mystery of the Duqu trojan,” Kamluk wrote. Tipsters can reach his team at “stopduqu AT Kaspersky DOT com.” ®

Follow dangoodin001

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.