Duqu hackers scrub evidence from command servers, shut down spying op

[ronjor]

Quote:

By Gregg Keizer | Computerworld

The hackers behind the Duqu botnet have shut down their snooping operation, a security researcher said today.

The 12 known C&C (command-and-control) servers for Duqu were scrubbed of all files on Oct. 20, 2011, according to Moscow-based Kaspersky Lab

https://www.infoworld.com/d/security...ying-op-180485

[Cudni]

So now they regroup and show up elsewhere.

[Baserk]

I can't make much sense from;
"The servers appear to have been hacked by bruteforcing the root password. (We do not believe in the OpenSSH 4.3 0-day theory - that would be too scary!)" link (Conclusion nr.3)

Rejection of a theory based on fear?
Why instead opt for the 'kinda seemingly bruteforcing a password in 8 minutes with afaics a few attempts' theory?
Anyone 'In-the-know' who can shed some light on this?

[CloneRanger]

I'm sure i read that one of the AV vendors had grabbed ALL the data from at least one of the servers ? If so they have plenty of juice Not that i expect them to spill All the beans though, to us anyway

However they did say that they would publish more info later, still waiting !

Quote:

@ Baserk

Anyone 'In-the-know' who can shed some light on this?

Yeah, but as i've signed the Official Secrets Act, i'm sworn to secrecy, & if i did tell you i'd have to kill you Only kidding

[siljaline]

The December Windows Updates should tame some Duqu issues.

[trismegistos]

Quote:

Originally Posted by Baserk

I can't make much sense from;
"The servers appear to have been hacked by bruteforcing the root password. (We do not believe in the OpenSSH 4.3 0-day theory - that would be too scary!)" link (Conclusion nr.3)

Rejection of a theory based on fear?
Why instead opt for the 'kinda seemingly bruteforcing a password in 8 minutes with afaics a few attempts' theory?
Anyone 'In-the-know' who can shed some light on this?

I'm not in the know but interesting comments by posters in your link particularly coming from users Jesse Carter and Sam Crawford.

[Baserk]

Quote:

Originally Posted by trismegistos

I'm not in the know but interesting comments by posters in your link particularly coming from users Jesse Carter and Sam Crawford.

Interesting for sure! Thanks for reminding, Trismegistos.

[cozofdeath]

This crap is scary

[MessageBoxA]

Quote:

Originally Posted by Baserk

Anyone 'In-the-know' who can shed some light on this?

Pure speculation of course, but I'll add a comment; I have heard rumors of some information disclosure vulnerabilities that leak a single next-bit at a time. Most system administrators will lock down the CentOS servers with an iptables rule to slow down brute-force against the SSH daemon. Such as:

Quote:

/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

If we were able to obtain a single bit at a time... and we know there are 8 bits to the byte... we could get 1 character of the password per minute.

Server "B" in Germany was brute forced in 8 minutes and would imply an 8-character password in our little fantasy scenario.

Best Wishes,
-MessageBoxA