Video Screencast Help
Security Response
Showing posts tagged with W32.Stuxnet
Showing posts in English
Symantec Security Response | 18 Oct 2011 16:59:09 GMT

On October 14, 2011, a research lab with strong international connections alerted us to a sample that appeared to be very similar to Stuxnet. They named the threat "Duqu" [dyü-kyü] because it creates files with the file name prefix “~DQ”. The research lab provided us with samples recovered from computer systems located in Europe, as well as a detailed report with their initial findings, including analysis comparing the threat to Stuxnet, which we were able to confirm. Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose.

Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the...

Liam O Murchu | 11 Jul 2011 14:15:33 GMT

Once in a while, a piece of malware will come along that grabs headlines. Rarer is malware that is talked about around the water cooler (at places other than Symantec). But the rarest of all is malware that actually makes history. It is for just such a piece of malware that we observe the one year anniversary this month.

Roughly around this time one year ago, a Belarusian computer security company reported finding malicious code designed to exploit a new Microsoft Windows vulnerability, dubbed the .LNK vulnerability. Little did they know this malware would change the world.

The fact that the malware exploited a zero-day vulnerability is significant, but certainly not history making. So, what made this malware so special? After the initial discovery, Symantec’s in-depth analysis of this particular malware ensued. Thousands of man hours analyzing 500 kilobytes of code later, the .LNK vulnerability was shown to be just the tip of the iceberg, and a very dangerous...

Téo Adams | 14 Feb 2011 17:57:22 GMT

There’s been lots of discussion lately on targeted attacks which are, as the name implies, cyberattacks directed at specific individuals, organizations, corporations, or sectors. These targeted attacks, particularly on critical infrastructure, are the focus of our Symantec Intelligence Quarterly Report: October – December 2010.

Attackers are getting smart and researching their target so that the attacks appear legitimate. The customization of targeted attacks can make them more dangerous than non-targeted attacks because they are tailored explicitly to affect a target group. Motivations for such customized attacks can range from stealing confidential information for profit, to interfering with day-to-day operations, to mischief. The most prominent recent targeted attacks are Hydraq, Stuxnet, and Night Dragon.

Targeted Attacks

It has been just one year since Hydraq, a.k.a Aurora, was first discovered and used as part of a targeted...

Symantec Security Response | 11 Feb 2011 18:44:47 GMT

When we released our paper on Stuxnet by Nicolas Falliere, Liam O Murchu, and Eric Chien in September, we mentioned we’d likely continue to make revisions.

We have two major updates to the paper and some other minor changes throughout. A summary of these updates follows and more detailed information can be found in the paper. Please note that these new details are included in version 1.4 or higher.

First, in September, we mentioned that Stuxnet will record a timestamp along with other system information within itself each time a new infection occurs. However, at the time, this information was largely useless as we did not have enough samples to draw any meaningful conclusions. Over the last few months, we’ve...

khaley | 17 Nov 2010 13:50:44 GMT

My prediction is that we are all going to become nostalgic for the days of fame-seeking mass mailers and network worms. Think of LoveLetter, SQL Slammer, and Melissa all crashing millions of systems within hours of being released into the wild. Those threats seem quite quaint these days as we enter the third significant shift in the threat landscape.

We moved from fame to fortune (which we have dubbed “crimeware”) in the last ten years. Mass mailers were replaced by malware that steals credit card information and sells phony antivirus products. Malware has become a successful criminal business model with billions of dollars in play. The goal became stealth and financial gain at the expense of unsuspecting computer users. And Trojans and toolkits, like Zeus, are the modern tools of the trade.

We have now entered a third stage—one of cyber-espionage and cyber-sabotage. Cyber-espionage did not begin with Stuxnet, and crimeware does not end with it. In...

Eric Chien | 12 Nov 2010 23:36:05 GMT

Thanks to some tips from a Dutch Profibus expert who responded to our call for help, we’ve connected a critical piece of the puzzle.

Since our discovery that Stuxnet actually modifies code on PLCs in a potential act of sabotage, we have been unable to determine what the exact purpose of Stuxnet is and what its target was.

However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland and the other in Tehran, Iran.  This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module.

The target system would potentially look something like the diagram below:


Eric Chien | 03 Nov 2010 16:44:57 GMT

Since we still haven’t had much success in determining the likely target of Stuxnet, we have decided to release at a high level the behavior of the PLC code. However, we suspect this level of detail while interesting probably still is not enough to identify the potential target.  You can find the additional information starting on page 38 of the latest revision of our paper.

Our previous call for verifiable experts in STL coding that have worked in multiple critical infrastructure industries and coded large STL programs for large industrial control systems in those multiple industries was unsuccessful.  If anyone still wishes to help, they can contact me by clicking on my name at the top to send me a private message.  

Originally this revision would have also described in more detail the remaining Task Scheduler privilege escalation vulnerability, but the vulnerability...

Shunichi Imano | 15 Oct 2010 12:21:31 GMT


W32.Stuxnet has been a subject of much discussion amongst security researchers and media, and Symantec Security Response has posted a whitepaper along with a series of blogs on the subject. As you may already be aware, Stuxnet is hot topic as the threat targets industrial control systems in order to take control of industrial facilities and systems, such as manufacturing assembly lines and even power plants.  
Because Stuxnet is such major news, the miscreants who like to spread malware are not wasting much time taking advantage of this for their malicious activities. In our investigations we have discovered that various forums are discussing a...
Robert Keith | 12 Oct 2010 21:24:12 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is, by far, the largest Patch Tuesday release since the start of the program. The vendor is releasing 16 bulletins covering a total of 49 vulnerabilities, including one of the zero-day vulnerabilities used by the Stuxnet threat.

Five of the issues are rated “Critical” and affect Internet Explorer, Embedded OpenType Fonts, .NET, and Media Player. The majority of the issues being addressed this month affect Excel (13 issues), Office (11 issues), and Internet Explorer (10 issues). The remaining issues affect Windows kernel-mode drivers, SChannel, OpenType Fonts, Shared Cluster Disks, Common Control Library, Local Procedure Call (LPC), Microsoft Foundation Classes (MFC), Active Template Library, Sharepoint, and Groove.

 As always, customers are advised to follow these security best practices:
-     Install vendor patches as soon as...

Nicolas Falliere | 08 Oct 2010 21:16:56 GMT

In this blog, I’m going to provide extra details about the PLC infection process and how an operator can determine if their PLC is infected.   

First, recall that Stuxnet’s end-goal is the infection of particular types of Simatic PLCs. In order to achieve this goal, a Simatic DLL is replaced and acts as a proxy between the Programming Environment and the PLC devices. That DLL is able to do the following:

  • monitor communication between the PLC and the Programming Environment
  • infect PLCs
  • mask potential PLC infections

A sequence consists of malicious blocks as well as infection stubs for already existing PLC blocks; Stuxnet contains two types of sequences.


Sequences A & B

The first type consists of two sequences, A and B. Each contain about 20 blocks, and specifically target PLC 315-2 by having specific system data blocks. See the Dossier for more information....