November 30, 2011, 4:12 PM — The hackers behind the Duqu botnet have shut down their snooping operation, a security researcher said today.
The 12 known command-and-control (C&C) servers for Duqu were scrubbed of all files on Oct. 20, 2011, according to Moscow-based Kaspersky Lab.
That was just two days after rival antivirus firm Symantec went public with its analysis of Duqu, a Trojan horse-based botnet that many security experts believe shared common code and characteristics with Stuxnet, the super-sophisticated worm that last year sabotaged Iran's nuclear program.
Duqu was designed, said Symantec and Kaspersky, by advanced hackers, most likely backed by an unknown country's government. Unlike Stuxnet, it was not crafted to wreak havoc on uranium enrichment centrifuges, but to scout out vulnerable installations and computer networks as a lead-in to the development of another worm targeting industrial control systems.
"I think this part of the [Duqu] operation is now closed." said Roel Schouwenberg, a Kaspersky senior researcher, in an emailed reply to questions today. "[But] that's not to say a new/modified operation may be under way."
Earlier Wednesday, another Kaspersky expert posted an update on the company's investigation into Duqu that noted the Oct. 20 hackers' house-cleaning.
According to Kaspersky, each Duqu variant -- and it knows of an even dozen -- used a different compromised server to manage the PCs infected with that specific version of the malware. Those servers were located in Belgium, India, the Netherlands and Vietnam, among other countries.
"The attackers wiped every single server they had used as far back as 2009," Kaspersky said, referring to the Oct. 20 cleaning job.
The hackers not only deleted all their files from those systems, but double-checked afterward that the cleaning had been effective, Kaspersky noted. "Each [C&C server] we've investigated has been scrubbed," said Schouwenberg.
Kaspersky also uncovered clues about Duqu's operation that it has yet to decipher.
The attackers quickly updated each compromised server's version of OpenSSH -- for Open BSD Secure Shell, an open-source toolkit for encrypting Internet traffic -- to a newer edition, replacing the stock 4.3 version with the newer 5.8.