Kaspersky Lab releases findings on Duqu

Vitaly Kamluk, Kaspersky's chief malware analyst, has some interesting findings on the Duqu threat.

A Kasperski spokesperson sent me a write-up from Kamluk that says, among other things:

•Overall, there have been more than a dozen Duqu command and control servers active during the past three years.

•The Duqu C&C servers operated as early as November 2009.

•Many different servers were hacked all around the world, in Vietnam, India, Germany, Singapore, Switzerland, the UK, the Netherlands, Belgium, and South Korea to name but a few locations. Most of the hacked machines were running CentOS Linux. Both 32-bit and 64-bit machines were hacked.

•The servers appear to have been hacked by bruteforcing the root password.

•The attackers have a burning desire to update OpenSSH 4.3 to version 5 as soon as they get control of a hacked server.

•A global cleanup operation took place Oct. 20. The attackers wiped every single server which was used even in the distant past, e.g. 2009. Unfortunately, the most interesting server, the C&C proxy in India, was cleaned only hours before the hosting company agreed to make an image. If the image had been made earlier, it’s possible that we’d know a lot more about the inner workings of the network.

•The “real” Duqu mothership C&C server remains a mystery just like the attackers’ identities.

You can read the full details here.

--Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO's Daily Dashboard gives you a

Get your morning news fix with the daily Salted Hash e-newsletter!

Copyright © 2011 IDG Communications, Inc.

8 pitfalls that undermine security program success