Feeds

Duqu attackers: master coders, Linux rookies

Amateur goofs doom global wipe of C&C servers

Using blade systems to cut costs and sharpen efficiencies

The Duqu malware that targeted industrial manufacturers around the world may have been spawned by a well-funded team of competent coders, but their command of Linux led to some highly amateur mistakes.

According to a report published on Wednesday by researchers from Kaspersky Lab, the unknown attackers attempted a global cleanup on a dozen or more hacked Linux servers they used to control systems infected with Duqu. The mass purge on machines running CentOS 5.x came on October 20, two days after researchers publicly compared Duqu to the Stuxnet worm that sabotaged Iran's nuclear program. Speculation is the operators were trying to cover their tracks.

In their haste, the attackers appear to have made some critical mistakes. Servers in Vietnam and Germany contained partial logs of the hackers' SSH and bash sessions that remained on the / partition.

“This was kind of unexpected and it is an excellent lesson about Linux and the ext3 file system internals,” Kaspersky researcher Vitaly Kamluk wrote. “Deleting a file doesn't mean there are no traces or parts, sometimes from the past. The reason for this is that Linux constantly reallocates commonly used files to reduce fragmentation.”

The sshd.log files show the attackers logging into the Vietnam-based machine in July and in October just prior to mass purge. The Germany-based system also showed evidence of being accessed on November 23, 2009 and the user receiving error messages indicating that attempts to redirect traffic on ports 80 and 443 had failed. The breadcrumbs may have been few, but they were enough to show that the servers weren't true command and control channels, but rather proxies designed to conceal the attackers' true origin.

Using similar techniques, the Kaspersky researchers unearthed evidence that every hacked server had its OpenSSH 4.3 application upgraded to version 5.8. A recovered bash history on the machine in Germany also showed the attackers needed refreshers in basic Linux administration. At one point, they referenced the sshd_config manual, and at another juncture, they needed to check documentation for the Linux ftp client. They also botched the command line syntax for the Linux iptables.

The attackers also left behind traces of changes they made to the sshd-config file. One of them speeds up port directions over tunnels, which is simple enough change to understand. The other enabled Kerberos authentication. The Kaspersky researchers still aren't sure what the motive is for the latter modification.

So far, the researchers say, they've analyzed only a fraction of compromised servers, which among other places, were located in Singapore, Switzerland, the UK, the Netherlands, Belgium, and South Korea. It will be interesting to see what evidence they're able to exhume from additional machines. In the meantime they're hoping Linux admins can help them ponder a few questions, including:

  • Why the preoccupation with updating OpenSSH 4.3 to version 5.8 as soon as a machine had been commandeered?

and

  • Is there any relationship between the updates and the modification to “GSSAPIAuthentication yes” made to the sshd-config file?

“We hope that through cooperation and working together we can cast more light on this huge mystery of the Duqu trojan,” Kamluk wrote. Tipsters can reach his team at “stopduqu AT Kaspersky DOT com.” ®

Follow dangoodin001

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.