Liam O Murchu's blog

Once in a while, a piece of malware will come along that grabs headlines. Rarer is malware that is talked about around the water cooler (at places other than Symantec). But the rarest of all is malware that actually makes history. It is for just such a piece of malware that we observe the one year anniversary this month.

Code to exploit the zero-day .lnk file vulnerability (BID 43073) used by Stuxnet was added to the threat around March 2010; we know this because the samples we observed before this date did not contain code to exploit that vulnerability.

We have been made aware of a recent blog posting pointing to the fact that the print spooler vulnerability used by W32.Stuxnet and addressed in the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability was in fact known

Our analysis of Stuxnet has been ongoing for some time now, although we have not posted any information on our blog about it we have been continuously analyzing the threat since it was discovered earlier this year.

Our continued analysis of W32.Stuxnet has revealed a total of four zero-day vulnerabilities being used by the threat.

As we have mentioned in a previous blog W32.Stuxnet contains a complex nested structure of files and components inside.  We were interested to discover if the different samples we have seen in the wild we

Previously in our series of blogs about Stuxnet we wrote about the installation details and the numerous files that are associated with the threat.

Previously, I blogged about the installation control flow used by W32.Stuxnet.

I’d like to address the control flow used by W32.Stuxnet.

We recently received a file (from CERT) for analysis. We found that the file was a Trojan that opens a back door on a compromised computer and listens for commands on port 7777. This by itself is not very unusual, but what surprised us was that this file was being distributed by Energizer Inc as part of a USB charger-monitoring software package.