SECURITY RESEARCHERS have revealed that the hackers behind the Duqu Trojan horse virus, a sibling of Stuxnet, have shut down their operation and wiped all of their command and control servers, leaving very little for security experts to investigate further.
Kaspersky Labs analysed a number of Duqu command and control servers and discovered that the virus was in operation from as early as November 2009, despite it having only been discovered in October of this year. This is a worrying revelation, as it means that computers and servers might have been infected for years with malware that still has yet to be discovered.
The researchers also found that a global cleanup took place earlier this year on 20 October, a day or two after it was revealed to the world that the virus existed. All of the command and control servers were wiped clean, right back until the 2009 infection, leaving little trace that anything had ever happened.
This is interesting, as it means that the hackers behind the virus were particularly intent on keeping it a secret and effectively pulled the plug as soon as a whisper of it got out to the public. The fact that the people behind Duqu could do this so quickly and effectively raises questions about how powerful they are and how much money and how many personnel they have at their disposal. Since Duqu's relative Stuxnet is widely believed to have been created by a government, it is not unreasonable to think it likely that Duqu had similar origins.
Kaspersky Labs said in a blog post that the primary command and control server for Duqu remains a mystery, as are the identities of the hackers.
Some things the researchers did find, however, include the likelihood that the servers were hacked through brute-forcing the root password, as opposed to the OpenSSH 4.3 zero-day theory, and the hackers upgraded OpenSSH 4.3 to version 5 immediately after gaining control of the servers, suggesting there is some importance in the newer version of the software. µ