Feeds

Duqu attackers: master coders, Linux rookies

Amateur goofs doom global wipe of C&C servers

Beginner's guide to SSL certificates

The Duqu malware that targeted industrial manufacturers around the world may have been spawned by a well-funded team of competent coders, but their command of Linux led to some highly amateur mistakes.

According to a report published on Wednesday by researchers from Kaspersky Lab, the unknown attackers attempted a global cleanup on a dozen or more hacked Linux servers they used to control systems infected with Duqu. The mass purge on machines running CentOS 5.x came on October 20, two days after researchers publicly compared Duqu to the Stuxnet worm that sabotaged Iran's nuclear program. Speculation is the operators were trying to cover their tracks.

In their haste, the attackers appear to have made some critical mistakes. Servers in Vietnam and Germany contained partial logs of the hackers' SSH and bash sessions that remained on the / partition.

“This was kind of unexpected and it is an excellent lesson about Linux and the ext3 file system internals,” Kaspersky researcher Vitaly Kamluk wrote. “Deleting a file doesn't mean there are no traces or parts, sometimes from the past. The reason for this is that Linux constantly reallocates commonly used files to reduce fragmentation.”

The sshd.log files show the attackers logging into the Vietnam-based machine in July and in October just prior to mass purge. The Germany-based system also showed evidence of being accessed on November 23, 2009 and the user receiving error messages indicating that attempts to redirect traffic on ports 80 and 443 had failed. The breadcrumbs may have been few, but they were enough to show that the servers weren't true command and control channels, but rather proxies designed to conceal the attackers' true origin.

Using similar techniques, the Kaspersky researchers unearthed evidence that every hacked server had its OpenSSH 4.3 application upgraded to version 5.8. A recovered bash history on the machine in Germany also showed the attackers needed refreshers in basic Linux administration. At one point, they referenced the sshd_config manual, and at another juncture, they needed to check documentation for the Linux ftp client. They also botched the command line syntax for the Linux iptables.

The attackers also left behind traces of changes they made to the sshd-config file. One of them speeds up port directions over tunnels, which is simple enough change to understand. The other enabled Kerberos authentication. The Kaspersky researchers still aren't sure what the motive is for the latter modification.

So far, the researchers say, they've analyzed only a fraction of compromised servers, which among other places, were located in Singapore, Switzerland, the UK, the Netherlands, Belgium, and South Korea. It will be interesting to see what evidence they're able to exhume from additional machines. In the meantime they're hoping Linux admins can help them ponder a few questions, including:

  • Why the preoccupation with updating OpenSSH 4.3 to version 5.8 as soon as a machine had been commandeered?

and

  • Is there any relationship between the updates and the modification to “GSSAPIAuthentication yes” made to the sshd-config file?

“We hope that through cooperation and working together we can cast more light on this huge mystery of the Duqu trojan,” Kamluk wrote. Tipsters can reach his team at “stopduqu AT Kaspersky DOT com.” ®

Follow dangoodin001

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.