Cyber warfare expert John Bumgarner claims that the Stuxnet and Duqu virus have been active for much longer than previously suspected, he says that they are active in different variant since 2006.
Precisely he claims that the Stuxnet computer virus is linked to Conficker, a mysterious “worm” that surfaced in late 2008 and infected millions of PCs.
Conficker was used to open back doors into computers in Iran, then infect them with Stuxnet … “Conficker was a door kicker,”
Let remind that StuxNet has been discovered in 2010 and has been developed to attack Siemens PLCs whose use is widespread in the control systems of centrifuges for uranium enrichment.
Iran is still confronting the virus and the consequences of his attacks on the country’s critical infrastructures. However Duqu has been more recent discovery and it apparently seems to share the genesis of Stuxnet, and it seems to be created for a different purpose, information steal. At least that would seem to be the main feature of Duqu observed in isolated instances of malware.
That said, the most alarming Duqu feature is its modularity, which would indicate that the malware has been designed with the intent to be scalable in its offensive possibilities. Today identity theft, tomorrow … unpredictable behaviour and targets?.
We are facing a new malware generation, modular and polymorphic, two features that make it particularly dangerous.
According Vitaly Kamluk, malware expert at Kaspersky Lab, his team found more than a dozen command-and-control servers operating during the past three years. This demonstrate that more than a dozen different Duqu varients have been identified. Many different servers were hacked all around the world (e.g. in Vietnam, Germany, Singapore, Switzerland, India and UK). Most of the infected machines were running CentOS Linux and seems have been hacked by brute forcing attack to the root password. OpenSSH 4.3 0-day theory has been excluded.
Server ‘A’ was located in Vietnam and was used to control Duqu deployed in Iran. This was a Linux server running CentOS 5.5. Actually, all the Duqu C&C servers we have found so far run CentOS – version 5.4, 5.5 or 5.2. It is not known if this is just a coincidence or if the attackers have an affinity (exploit?) for CentOS 5.x.
The attackers replace the stock OpenSSH 4.3 with version 5.8, and it has been possible to demonstrate it, but we don’t know real reason.
Server ‘B’ was located at a data center in Germany that belongs to a Bulgarian hosting company. It was used by the attackers to log in to the Vietnamese C&C. Evidence also seems to indicate it was used as a Duqu C&C in the distant past, although we couldn’t determine the exact Duqu variant which did so.
The Linux choice for the attacked system is quite strange.
A global cleanup operation took place on 20 October 2011 but the attackers wiped every single server which was used even in the distant past but unfortunately, the most interesting server, the C&C proxy in India, was cleaned only hours before the hosting company agreed to make an image. The “real” Duqu mothership C&C server remains a mystery just like the attackers’ identities.
Here you are the principal milestones related to the agent history:
More I read of the results obtained by the research groups more I am convinced that behind the development of such malware there is a government sponsorship.
We are facing with a new generation of weapons, real cyber weapons, silent and really offensive. -They are the result of the growing attention of many governments in cyberwarfare. Viruses are designed by teams of experts and their architecture are so complex that suggests a structured project aimed to surgery offensive.
Frankly speaking I do not understand why nobody have an idea about the possible paternity of the virus, whose genesis I think it is now well known to leading research groups. Probably the main reason is the important role of the Government who has created this virus and the political and economic power it has.
Nobody sees, nobody hears, nobody talks about it!