Duqu hackers continue attacks; after India raids, it’s Belgium’s turn
Hackers used a server in Belgium to collect data stolen from machines
infected with the Duqu computer virus, after authorities shut down
another rogue collection system in India, according to security experts.
Governments and security experts around the globe are working to
unlock the secrets of the elusive malware, which some say could be the
next big cyber threat after the Stuxnet virus that was believed to have
infected Iran’s nuclear program.
Researchers at Symantec Corp said they had identified a sample of
Duqu that was configured to communicate with a specific server at
Combell Group, Belgium’s largest Web-hosting company.
Hackers frequently use or lease servers at data centres to manage
their malicious activities, without the knowledge of the data centre
operator. Symantec said in a report on its website on Tuesday that it
had notified Combell that the server was being used for malicious
activity.
Combell Group said it shut down that server on Thursday in response to a query about the matter from Reuters.
“We investigated the case,” Combell Business Development Manager Tom
Blast told Reuters. “We decided to shut down the server immediately.”
News of Duqu first surfaced two weeks ago after researchers at
Hungary’s Laboratory of Cryptography and System Security found a
computer virus that contained code similar to Stuxnet. Early analysis
suggested Duqu was developed by hackers to help lay the groundwork for
attacks on critical infrastructure such as power plants, oil refineries
and pipelines.
Indian authorities last month seized computer equipment from a data
center in Mumbai, after Symantec reported that one of its servers was
communicating with computers infected with Duqu.
“Look Fishy”
One of Brussels-based Combell’s employees, who did not want to be
identified as they were not authorised to speak for the company, said on
Wednesday evening that the server had been running continuously for
about a week and was leased through October 27 next year.
“It looks fishy,” he said, adding that somebody controlling the
machine appeared to be intentionally deleting data that would log
details about its communications. “It’s weird. The mail log itself has
almost no entries. I think they are deleting data so they don’t leave
traces.”
John Bumgarner, chief technology officer of the US Cyber Consequences
Unit, also said that the server looked suspicious because it was
running far fewer programs than its neighbours in the Combell data
center.
He said that when the hackers moved their server from India to
Belgium, they also modified the original technique used to communicate
with computers infected by Duqu. This shift made it harder for companies
to detect infected machines based on previous communication patterns.
Researchers at Symantec have said they believe Duqu may have been
developed by the same engineers who built Stuxnet because some of the
source code in the software is the same.
Other researchers disagree, saying the hackers could have reverse engineered the code for Stuxnet.
Stuxnet is believed to have crippled centrifuges that Iran uses to
enrich uranium for what the United States and some European nations have
charged is a covert nuclear weapons program.
Source: firstpost
Comments