Duqu Servers Included Hacked Linux Systems

Thursday, December 01, 2011

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

Duqu Command & Control Servers included Hacked Linux Systems

Some very interesting information was released yesterday in a follow up Duqu analysis report by Kapersky Labs. Highlights from the article include:

  • The Duqu C&C servers operated as early as November 2009.
  • Many different servers were hacked all around the world, in Vietnam, India, Germany, Singapore, Switzerland, the UK, the Netherlands, Belgium, South Korea to name but a few locations. Most of the hacked machines were running CentOS Linux. Both 32-bit and 64-bit machines were hacked.
  • The servers appear to have been hacked by bruteforcing the root password. (We do not believe in the OpenSSH 4.3 0-day theory – that would be too scary!)
  • The attackers have a burning desire to update OpenSSH 4.3 to version 5 as soon as they get control of a hacked server.
  • A global cleanup operation took place on 20 October 2011. The attackers wiped every single server which was used even in the distant past, e.g. 2009. Unfortunately, the most interesting server, the C&C proxy in India, was cleaned only hours before the hosting company agreed to make an image. If the image had been made earlier, it’s possible that now we’d know a lot more about the inner workings of the network.
  • The “real” Duqu mothership C&C server remains a mystery just like the attackers’ identities.

Wait just a minute, “Most of the hacked machines were running CentOS Linux“. Linux gets hacked? For those of you who think that Linux is invulnerable, this may be an eye opener.

What is interesting though is how did they do it? This leads to more questions. A recovered sshd log from a server in Germany caught what might be evidence of a brute force password attack:

image

But what is odd too is that as soon as they logged in, one of the first things done was to update OpenSSH (used for remote access) from 4.3 to 5, as this snip from a recovered Bash shell history shows :

image

This has led to quite a debate, some saying that the hackers got in using an OpenSSH Zero Day exploit, while others claiming that they just needed the updated features of 5 to make command and control more uniform across the board.

Also interesting is to see how many times help files and manuals are referenced in the above capture. Why would the all powerful Stuxnet attackers who breached Iran’s secure nuclear facilities and have created several 0-day attacks need to reference help files so frequently?

The simple solution is that they probably were not as familiar with this distribution of Linux. Most likely they were more familiar with Red Hat Linux Enterprise Linux which CentOS is based on.

Be it brute force password hacking or another Stuxnet 0-Day, Duqu shows that Linux is vulnerable to hackers too. And with it’s growing install base, supplanting Windows desktops in many facilities, expect it to become even more of a target.

Cross-posted from Cyber Arms

Possibly Related Articles:
17500
Viruses & Malware
Information Security
Windows SSH Linux Stuxnet hackers Brute Force DUQU CentOS
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.