PDA

View Full Version : Duqu Command & Control Servers included Hacked Linux Systems by D. Dieterle



cap10Ibraim
December 5th, 2011, 07:20 PM
Some very interesting information was released yesterday in a follow up Duqu analysis report (https://www.securelist.com/en/blog/625/The_Mystery_of_Duqu_Part_Six_The_Command_and_Contr ol_servers) by Kapersky Labs. Highlights from the article include:


The Duqu C&C servers operated as early as November 2009.
Many different servers were hacked all around the world, in Vietnam, India, Germany, Singapore, Switzerland, the UK, the Netherlands, Belgium, South Korea to name but a few locations. Most of the hacked machines were running CentOS Linux. Both 32-bit and 64-bit machines were hacked.
The servers appear to have been hacked by bruteforcing the root password. (We do not believe in the OpenSSH 4.3 0-day theory – that would be too scary!)
The attackers have a burning desire to update OpenSSH 4.3 to version 5 as soon as they get control of a hacked server.
A global cleanup operation took place on 20 October 2011. The attackers wiped every single server which was used even in the distant past, e.g. 2009. Unfortunately, the most interesting server, the C&C proxy in India, was cleaned only hours before the hosting company agreed to make an image. If the image had been made earlier, it’s possible that now we’d know a lot more about the inner workings of the network.
The “real” Duqu mothership C&C server remains a mystery just like the attackers’ identities.

Wait just a minute, “Most of the hacked machines were running CentOS Linux“. Linux gets hacked? For those of you who think that Linux is invulnerable, this may be an eye opener.
What is interesting though is how did they do it? This leads to more questions. A recovered sshd log from a server in Germany caught what might be evidence of a brute force password attack:
https://www.securelist.com/en/images/pictures/klblog/208193282.png
But what is odd too is that as soon as they logged in, one of the first things done was to update OpenSSH (used for remote access) from 4.3 to 5, as this snip from a recovered Bash shell history shows :
https://www.securelist.com/en/images/pictures/klblog/208193276.png
This has led to quite a debate, some saying that the hackers got in using an OpenSSH Zero Day exploit, while others claiming that they just needed the updated features of 5 to make command and control more uniform across the board.
Also interesting is to see how many times help files and manuals are referenced in the above capture. Why would the all powerful Stuxnet attackers who breached Iran’s secure nuclear facilities and have created several 0-day attacks need to reference help files so frequently?
The simple solution is that they probably were not as familiar with this distribution of Linux. Most likely they were more familiar with Red Hat Linux Enterprise Linux which CentOS is based on.
Be it brute force password hacking or another Stuxnet 0-Day, Duqu shows that Linux is vulnerable to hackers too. And with it’s growing install base, supplanting Windows desktops in many facilities, expect it to become even more of a target.

Dry Lips
December 5th, 2011, 11:15 PM
Really interesting stuff. Thanks a lot for posting! I especially thought that the Kapersky blog post that was referred to was a good read.

https://www.securelist.com/en/blog/625/The_Mystery_of_Duqu_Part_Six_The_Command_and_Contr ol_servers

Paqman
December 6th, 2011, 02:46 PM
Wait just a minute, “Most of the hacked machines were running CentOS Linux“. Linux gets hacked? For those of you who think that Linux is invulnerable, this may be an eye opener.

This is actually pretty common. People get confused by the fact that there aren't any threatening Linux viruses in circulation. Hacking and viruses are completely different threats. Any OS can be hacked.

Linux is a primary target for hacking attempts of this type, because it's installed on so many servers. A powerful web-facing machine that's always on and can handle large amounts of traffic is a very attractive target for hackers.

F.G.
December 6th, 2011, 04:07 PM
really interesting article. a nice look into how forensics and hacking actually work.

Dangertux
December 6th, 2011, 05:29 PM
Funny how it's brute force SSH. I love that sysadmins let that happen so frequently.

BTW if you guys liked that you should check out the rest of his blog, Dan is a good friend of mine and has some really great posts about forensics.

http://cyberarms.wordpress.com is his site.

Paqman
December 7th, 2011, 09:26 AM
Funny how it's brute force SSH. I love that sysadmins let that happen so frequently.


Can't say that I'm surprised. When I opened up to SSH on my NAS my logs instantly filled up with brute force attempts from far and wide, it's a bit of an eye-opener how ubiquitous it is.