woensdag 4 januari 2012

Another Duqu mystery unraveled?

During the reverse engineering of Duqu, researchers discovered Duqu resolves the hostname kasperskychk.dyndns.org A strange domainname hosted by the company DynDNS. This artical discusses the apparent unwillingness of DynDNS to cooperate, and possible involvement with Duqu.
But let's start with some magic quotes:

“If you don't make mistakes, you don't make anything”

“Mistakes are painful when they happen, but years later a collection of mistakes is what is called experience.”
-Duqu and Stuxnet teach each other

“A man's mistakes are his portals of discovery.”
-Rickey Gevers (Author of this blog)

Since the beginning of the discovery of Stuxnet and Duqu people have been speculating about its origin. Most references are based on the code. But does one seriously think the authors will leave a note to reveal their identity? We are talking about warfare here!
No doubt Stuxnet was used as a weapon, a weapon to conduct warfare, cyber-warfare. Stuxnet is considered the first peace of cyber warfare that has been discovered. And since it's one of the first creations chances are pretty big that mistakes have been made. In warfare any clue regarding your identity can be considered a mistake. That's probably one of the reasons why Duqu used hacked servers located all over the world.
As the author of Duqu you don't want any part of your code connecting to anything related to you, or directly to your country. You have got to create a maze in such a way that researcher will never get the chance to examine every peace of the maze. In the case of Duqu the community cooperated amazingly well and even 2 images of hacked servers were given to Kaspersky for examination. The community did a very good job and have come a long way investigating the route via which information was leaked.

But we've got to keep one thing in mind. Relying on hacked servers that can be taken down at any moment brings a risk. And this is probably the reason why the following 'check' is performed by Duqu. The DNS resolving of kasperskychk.dyndns.org. Some say it does this check to see whether there is an internet connection, it also checks www.windows.com, but as anyone can see kasperskychk.dyndns.org is a fundamental different domainname. Why kasperskychk? and why DynDNS.org?
DynDNS offers free domain hosting with several extensions; dyndns.org was used in this case. From the moment of its discovery kaspersky.dyndns.org never resolved to anything. And from the moment of its discovery the domainname has been in use, and never free for registration. Even though DynDNS deletes accounts within 35 days of no activity. Apparently this account is still in use or DynDNS has blocked usage of it. Statistics of the usage of the domainname could deliver valuable information in the research regarding Duqu. But, according to kaspersky, DynDNS never offered to help, they only stated they will monitor the situation. As the whole community trusts kaspersky and some even send complete forensic images of compromised systems to them, DynDNS apparently does not.

Looking further into DynDNS several things come popping up. It's an American company located in Manchester, New Hampshire, United States. As blogged previously they are known to cooperate with the FBI. And probably what's most important in this case: DynDNS confesses they log every DNS look-up, including originating IP addresses. But they are not legally permitted to share this information with commercial parties. Most important is they do log the information. Let me explain to you why this is so important.

If you're going to attack an unknown environment and you need your malware to connect to the outside world via the internet without getting noticed, you will have to implement several steps from where you can check whether you were successful or not. In the case of Duqu they most likely used documents that were infected. The usage of a 0-day gives you the assurance the infection process to (at least) start. After the victim is infected you want to know what its connection capabilities are. And here is where there comes another critical phase the attackers have little control over because they don't control its environment. The traffic originating from your target can be monitored and blocked in multiple ways. Intrusion Detection is a big enemy in this phase. The likeliness of a simple DNS lookup via UDP arriving at kaspersky.dyndns.org is pretty big. And because DynDNS logs every DNS request including its originating IP address you have a good clue whether your infection succeeded and whether there is an active intrusion detection system implemented or not. It's exactly this information that's of very very big value, such big value that it's worth taking extra risk. You don't want to rely on infrastructure that's not trustworthy or out of your legal control. DynDNS is the one that can provide you with this infrastructure and is within your controlled jurisdiction. And considering they are commonly known for their free registration and massive usage within the scriptkiddie community, will anyone notice?

Hacking and setting up a secure reliable environment, within an actively monitored and rapidly changing DNS system that also logs every connection made is a real challenge. And within such a critical phase of the infection you maybe do want to take a little more risk.

If we compare Stuxnet with Duqu the big difference is that Stuxnet was programmed to spread massively and Duqu had more specific targets. A connection check implemented as in Duqu is of no need for Stuxnet, since there's no need to know whether it can connect to the internet or whether there's an intrusion detection system inbetween.

Considering the above, there is reason to believe DynDNS is a specifically chosen partner to cooperate in the Duqu operation.

4 opmerkingen:

  1. Interesting proposition. What's your source for Kaspersky's claim that DynDNS didn't offer their help? It is unclear to me whether Kaspersky actually -asked- DynDNS to cooperate and that DynDNS refused, or that Kaspersky claims that DynDNS did not offer help on DynDNS' own initiative (which might be less significant).

    FWIW, Mikko Hypponen expressed on October 18th 2011 via Twitter his surprise that Symantec (also a US company) did not (yet?) sinkhole kasperskychk.dyndns.org [1]. Obviously this does not warrant any conclusion beyond this observation, but it might be a clue to investigate that might support, but also might partially -falsify- what I believe, perhaps wrongfully, is implied by your proposition. If, hypothetically, DynDNS is in cahoots with the FBI re: Duqu, that might simply be to protect ongoing investigations rather than attempting to cover something up.

    Kind regards,
    Matthijs R. Koot

    [1] https://twitter.com/#!/mikko/statuses/126358754118733824

  2. Been using Kaspersky protection for a number of years, I would recommend this product to everybody.

  3. DreamHost is the best website hosting provider with plans for any hosting requirments.