Duqu hackers shut down operation and wiped servers

Posted on: December 2, 2011

Security Researchers have revealed that the hackers behind the Duqu Trojan horse virus, a sibling of Stuxnet, have shut down their operation and wiped all of their command and control servers, leaving very little for security experts to investigate further.

Kaspersky Labs analysed a number of Duqu command and control servers and discovered that the virus was in operation from as early as November 2009, despite it having only been discovered in October of this year. This is a worrying revelation, as it means that computers and servers might have been infected for years with malware that still has yet to be discovered.

The researchers also found that a global cleanup took place earlier this year on 20 October, a day or two after it was revealed to the world that the virus existed. All of the command and control servers were wiped clean, right back until the 2009 infection, leaving little trace that anything had ever happened.

This is interesting, as it means that the hackers behind the virus were particularly intent on keeping it a secret and effectively pulled the plug as soon as a whisper of it got out to the public. The fact that the people behind Duqu could do this so quickly and effectively raises questions about how powerful they are and how much money and how many personnel they have at their disposal. Since Duqu’s relative Stuxnet is widely believed to have been created by a government, it is not unreasonable to think it likely that Duqu had similar origins.

Some things the researchers did find, however, include the likelihood that the servers were hacked through brute-forcing the root password, as opposed to the OpenSSH 4.3 zero-day theory, and the hackers upgraded OpenSSH 4.3 to version 5 immediately after gaining control of the servers, suggesting there is some importance in the newer version of the software.

Source: The Inquirer


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

December 2011
« Nov    

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 6 other followers


%d bloggers like this: