Hackers used a server in Belgium to collect data stolen from machines infected with the Duqu computer virus, after authorities shut down another rogue collection system in India, according to security experts.
Governments and security experts around the globe are working to unlock the secrets of the elusive malware, which some say could be the next big cyber threat after the Stuxnet virus that was believed to have infected Iran's nuclear program.
Researchers at Symantec said they had identified a sample of Duqu that was configured to communicate with a specific server at Combell Group, Belgium's largest web-hosting company.
Hackers frequently use or lease servers at data centers to manage their malicious activities, without the knowledge of the data center operator. Symantec said in a report on its website on Tuesday that it had notified Combell that the server was being used for malicious activity.
Combell Group said it shut down that server on Thursday in response to a query about the matter from Reuters.
"We investigated the case," Combell Business Development Manager Tom De Bast told Reuters. "We decided to shut down the server immediately."
News of Duqu first surfaced two weeks ago after researchers at Hungary's Laboratory of Cryptography and System Security found a computer virus that contained code similar to Stuxnet. Early analysis suggested Duqu was developed by hackers to help lay the groundwork for attacks on critical infrastructure such as power plants, oil refineries and pipelines.
Indian authorities last month seized computer equipment from a data center in Mumbai, after Symantec reported that one of its servers was communicating with computers infected with Duqu.
One of Brussels-based Combell's employees, who did not want to be identified as they were not authorized to speak for the company, said on Wednesday evening that the server had been running continuously for about a week and was leased through October 27 next year.
"It looks fishy," he said, adding that somebody controlling the machine appeared to be intentionally deleting data that would log details about its communications. "It's weird. The mail log itself has almost no entries. I think they are deleting data so they don't leave traces."
John Bumgarner, chief technology officer of the U.S. Cyber Consequences Unit, also said that the server looked suspicious because it was running far fewer programs than its neighbors in the Combell data center.
He said that when the hackers moved their server from India to Belgium, they also modified the original technique used to communicate with computers infected by Duqu. This shift made it harder for companies to detect infected machines based on previous communication patterns.
Researchers at Symantec have said they believe Duqu may have been developed by the same engineers who built Stuxnet because some of the source code in the software is the same.
Other researchers disagree, saying the hackers could have reverse engineered the code for Stuxnet.
Stuxnet is believed to have crippled centrifuges that Iran uses to enrich uranium for what the United States and some European nations have charged is a covert nuclear weapons program.
(Reporting by Jim Finkle. Additional reporting by Edward Krudy; Editing by Maureen Bavdek, Tim Dobbyn and Carol Bishopric)