Hackers have been using a server in Belgium to collect data stolen from machines infected with the Duqu computer virus, after authorities shut down another rogue collection system in India, according to security experts.

Governments and security experts around the globe are working to unlock the secrets of Duqu, which some say could be the next big cyber threat after the Stuxnet virus that was believed to have infected Iran's nuclear program.

Researchers at Symantec Corp said they had identified a sample of Duqu that was configured to communicate with a specific server at Combell Group, one of Belgium's largest Web-hosting companies.

Hackers frequently use or lease servers at data centers to manage their malicious activities, without the knowledge of the data center operator. Symantec said in a report on its website on Tuesday that it had notified Combell that the server was being used for malicious activity, and that the hosting company had shut down that server.

But two employees with Combell told Reuters the server had not been shut down, saying it was running an email program that was communicating with other computers, potentially allowing hackers to retrieve data stolen from infected PCs.

Security experts with software maker F-Secure and the U.S. Cyber Consequences Unit nonprofit research institute also said the server was still running as of Thursday morning.

Combell Chief Technology Officer Benjamin Jacobs said the company was investigating the situation and would provide further information on the matter when it was available.

News of Duqu first surfaced two weeks ago after researchers at Hungary's Laboratory of Cryptography and System Security found a computer virus that contained code similar to Stuxnet. Early analysis suggested Duqu was developed by hackers to help lay the groundwork for attacks on critical infrastructure such as power plants, oil refineries and pipelines.

Indian authorities last month seized computer equipment from a data center in Mumbai, after Symantec reported that one of its servers was communicating with computers infected with Duqu.


One of Brussels-based Combell's employees, who did not want to be identified as they were not authorized to speak for the company, said on Wednesday evening that the server had been running continuously for about a week and was leased through October 27 next year.

It looks fishy, he said, adding that somebody controlling the machine appeared to be intentionally deleting data that would log details about its communications. It's weird. The mail log itself has almost no entries. I think they are deleting data so they don't leave traces.

John Bumgarner, chief technology officer of the U.S. Cyber Consequences Unit, also said that the server looked suspicious because it was running far fewer programs than its neighbors in the Combell data center.

He said that when the hackers moved their server from India to Belgium, they also modified the original technique used to communicate with computers infected by Duqu. This shift made it harder for companies to detect infected machines based on previous communication patterns.

Researchers at Symantec have said they believe Duqu may have been developed by the same engineers who built Stuxnet because some of the source code in the software is the same.

Other researchers disagree, saying the hackers could have reverse engineered the code for Stuxnet.

Stuxnet is believed to have crippled centrifuges that Iran uses to enrich uranium for what the United States and some European nations have charged is a covert nuclear weapons program.

(Reporting by Jim Finkle. Additional reporting by Edward Krudy; Editing by Maureen Bavdek)