India shuts server linked to Duqu computer virus


SymbolPriceChangeDELL16.31-0.01EMC25.03-0.01INTC24.98-0.15SIE.DE78.19+0.39SYMC17.99+0.25{“s” : “dell,emc,intc,sie.de,symc,www”,”k” : “a00,a50,b00,b60,c10,g00,h00,l10,p20,t10,v00″,”o” : “”,”j” : “”}

* Indian authorities take equipment from Mumbai data center

* Mumbai server linked to hackers behind Duqu malware

* Researchers say hackers stole data from malware targets

* Researchers say data taken to help plan future attacks

By Jim Finkle and Supantha Mukherjee

Oct. 28 (Reuters) – Indian authorities seized computer
equipment from a data center in Mumbai as part of an
investigation into the Duqu malicious software that some
security experts warned could be the next big cyber threat.

Two workers at a web-hosting company called Web Werks told
Reuters that officials from India’s Department of Information
Technology last week took several hard drives and other
components from a server that security firm Symantec Corp told
them was communicating with computers infected with Duqu.

News of Duqu first surfaced last week when Symantec said it
had found a mysterious computer virus that contained code
similar to Stuxnet, a piece of malware believed to have wreaked
havoc on Iran’s nuclear program.

Government and private investigators around the world are
racing to unlock the secret of Duqu, with early analysis
suggesting that it was developed by sophisticated hackers to
help lay the groundwork for attacks on critical infrastructure
such as power plants, oil refineries and pipelines.

The equipment seized from Web Werks, a privately held
company in Mumbai with about 200 employees, might hold valuable
data to help investigators determine who built Duqu and how it
can be used. But putting the pieces together is a long and
difficult process, experts said.

“This one is challenging,” said Marty Edwards, director of
the U.S. Department of Homeland Security’s Industrial Control
Systems Cyber Emergency Response Team. “It’s a very complex
piece of software.”

He declined to comment on the investigation by authorities
in India, but said that his agency was working with
counterparts in other countries to learn more about Duqu.

Two employees at Web Werks said officials from India’s
Department of Information Technology came to their office last
week to take hard drives and other parts from a server.

They said they did not know how the malware got on to Web
Werks’ server. “We couldn’t track down this customer,” said one
of the two employees, who did not want to be identified for
fear of losing their jobs.

An official in India’s Department of Information Technology
who investigates cyber attacks also declined to discuss the
matter. “I am not able to comment on any investigations,” said
Gulshan Rai, director of the Indian Computer Emergency Response
Team, or CERT-In.

UNLOCKING THE SECRET

Stuxnet is malicious software designed to target widely
used industrial control systems built by Germany’s Siemens
(SIEGn.DE: Quote, Profile, Research, Stock Buzz). It is believed to have crippled centrifuges that
Iran uses to enrich uranium for what the United States and some
European nations have charged is a covert nuclear weapons
program.

Duqu appears to be more narrowly targeted than Stuxnet as
researchers estimate the new trojan virus has infected at most
dozens of machines so far. By comparison, Stuxnet spread much
more quickly, popping up on thousands of computer systems.

Security firms including Dell Inc’s SecureWorks, Intel
Corp’s McAfee, Kaspersky Lab and Symantec say they found Duqu
victims in Europe, Iran, Sudan and the United States. They
declined to provide their identities.

Duqu — so named because it creates files with “DQ” in the
prefix — was designed to steal secrets from the computers it
infects, researchers said, such as design documents from makers
of highly sophisticated valves, motors, pipes and switches.

Experts suspect that information is being gathered for use
in developing future cyber weapons that would target the
control systems of critical infrastructure.

The hackers behind Duqu are unknown, but their
sophistication suggests they are backed by a government,
researchers say.

“A cyber saboteur should understand the engineering
specifications of every component that could be targeted for
destruction in an operation,” said John Bumgarner, chief
technology officer for the U.S. Cyber Consequences Unit.

That is exactly what the authors of Stuxnet did when they
built that cyber weapon, said Bumgarner, who is writing a paper
on the development of Stuxnet.

“They studied the technical details of gas centrifuges and
figured out how they could be destroyed,” he said.

Such cyber reconnaissance missions are examples of an
increasingly common phenomenon known as “blended” attacks,
where elite hackers infiltrate one target to facilitate access
to another.

Hackers who infiltrated Nasdaq’s computer systems last year
installed malware that allowed them to spy on the directors of
publicly held companies.

In March, hackers stole digital security keys from EMC
Corp’s RSA Security division that they later used to breach the
networks of defense contractor Lockheed Martin Corp.

Researchers said they are still trying to figure out what
the next phase of Duqu attacks might be.

“We are a little bit behind in the game,” said Don Jackson,
a director of the Dell SecureWorks Counter Threat Unit.
“Knowing what these guys are doing, they are probably a step
ahead.”
(Reporting by Supantha Mukherjee in New York, Jim Finkle in
Boston; Additional reporting by Henry Foy in Mumbai; Editing by
Tiffany Wu)

Article source: http://finance.yahoo.com/news/India-shuts-server-linked-rc-863356422.html

View full post on National Cyber Security » Virus/Malware/Worms