Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with W32.Stuxnet
Showing posts in English
A Malware Anniversary to Remember
Liam O Murchu | 11 Jul 2011 14:15:33 GMT | 0 comments

Once in a while, a piece of malware will come along that grabs headlines. Rarer is malware that is talked about around the water cooler (at places other than Symantec). But the rarest of all is malware that actually makes history. It is for just such a piece of malware that we observe the one year anniversary this month.

Roughly around this time one year ago, a Belarusian computer security company reported finding malicious code designed to exploit a new Microsoft Windows vulnerability, dubbed the .LNK vulnerability. Little did they know this malware would change the world.

The fact that the malware exploited a zero-day vulnerability is significant, but certainly not history making. So, what made this malware so special? After the initial discovery, Symantec’s in-depth analysis of this particular malware ensued. Thousands of man hours analyzing 500 kilobytes of code later, the .LNK vulnerability was shown to be just the tip of the iceberg, and a very dangerous...

Read more
Symantec Intelligence Quarterly Report: Targeted Attacks on Critical Infrastructures
Téo Adams | 14 Feb 2011 17:57:22 GMT | 0 comments

There’s been lots of discussion lately on targeted attacks which are, as the name implies, cyberattacks directed at specific individuals, organizations, corporations, or sectors. These targeted attacks, particularly on critical infrastructure, are the focus of our Symantec Intelligence Quarterly Report: October – December 2010.

Attackers are getting smart and researching their target so that the attacks appear legitimate. The customization of targeted attacks can make them more dangerous than non-targeted attacks because they are tailored explicitly to affect a target group. Motivations for such customized attacks can range from stealing confidential information for profit, to interfering with day-to-day operations, to mischief. The most prominent recent targeted attacks are Hydraq, Stuxnet, and Night Dragon.

Targeted Attacks

It has been just one year since Hydraq, a.k.a Aurora, was first discovered and used as part of a targeted...

Read more
Updated W32.Stuxnet Dossier is Available
Symantec Security Response | 11 Feb 2011 18:44:47 GMT | 0 comments

When we released our paper on Stuxnet by Nicolas Falliere, Liam O Murchu, and Eric Chien in September, we mentioned we’d likely continue to make revisions.

We have two major updates to the paper and some other minor changes throughout. A summary of these updates follows and more detailed information can be found in the paper. Please note that these new details are included in version 1.4 or higher.

First, in September, we mentioned that Stuxnet will record a timestamp along with other system information within itself each time a new infection occurs. However, at the time, this information was largely useless as we did not have enough samples to draw any meaningful conclusions. Over the last few months, we’ve...

Read more
Internet Security Predictions for 2011: The Shape of Things to Come
Kevin Haley | 17 Nov 2010 13:50:44 GMT | 0 comments

My prediction is that we are all going to become nostalgic for the days of fame-seeking mass mailers and network worms. Think of LoveLetter, SQL Slammer, and Melissa all crashing millions of systems within hours of being released into the wild. Those threats seem quite quaint these days as we enter the third significant shift in the threat landscape.

We moved from fame to fortune (which we have dubbed “crimeware”) in the last ten years. Mass mailers were replaced by malware that steals credit card information and sells phony antivirus products. Malware has become a successful criminal business model with billions of dollars in play. The goal became stealth and financial gain at the expense of unsuspecting computer users. And Trojans and toolkits, like Zeus, are the modern tools of the trade.

We have now entered a third stage—one of cyber-espionage and cyber-sabotage. Cyber-espionage did not begin with Stuxnet, and crimeware does not end with it. In...

Read more
Stuxnet: A Breakthrough
Eric Chien | 12 Nov 2010 23:36:05 GMT | 0 comments

Thanks to some tips from a Dutch Profibus expert who responded to our call for help, we’ve connected a critical piece of the puzzle.

Since our discovery that Stuxnet actually modifies code on PLCs in a potential act of sabotage, we have been unable to determine what the exact purpose of Stuxnet is and what its target was.

However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland and the other in Tehran, Iran.  This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module.

The target system would potentially look something like the diagram below:

...

Read more
Stuxnet: Target Still Unknown
Eric Chien | 03 Nov 2010 16:44:57 GMT | 0 comments

Since we still haven’t had much success in determining the likely target of Stuxnet, we have decided to release at a high level the behavior of the PLC code. However, we suspect this level of detail while interesting probably still is not enough to identify the potential target.  You can find the additional information starting on page 38 of the latest revision of our paper.

Our previous call for verifiable experts in STL coding that have worked in multiple critical infrastructure industries and coded large STL programs for large industrial control systems in those multiple industries was unsuccessful.  If anyone still wishes to help, they can contact me by clicking on my name at the top to send me a private message.  

Originally this revision would have also described in more detail the remaining Task Scheduler privilege escalation vulnerability, but the vulnerability...

Read more
Fake Stuxnet cleaner literally cleans up your computer
Shunichi Imano | 15 Oct 2010 12:21:31 GMT | 0 comments

 

W32.Stuxnet has been a subject of much discussion amongst security researchers and media, and Symantec Security Response has posted a whitepaper along with a series of blogs on the subject. As you may already be aware, Stuxnet is hot topic as the threat targets industrial control systems in order to take control of industrial facilities and systems, such as manufacturing assembly lines and even power plants.  
 
Because Stuxnet is such major news, the miscreants who like to spread malware are not wasting much time taking advantage of this for their malicious activities. In our investigations we have discovered that various forums are discussing a...
Read more
Microsoft Patch Tuesday - October 2010
Robert Keith | 12 Oct 2010 21:24:12 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is, by far, the largest Patch Tuesday release since the start of the program. The vendor is releasing 16 bulletins covering a total of 49 vulnerabilities, including one of the zero-day vulnerabilities used by the Stuxnet threat.

Five of the issues are rated “Critical” and affect Internet Explorer, Embedded OpenType Fonts, .NET, and Media Player. The majority of the issues being addressed this month affect Excel (13 issues), Office (11 issues), and Internet Explorer (10 issues). The remaining issues affect Windows kernel-mode drivers, SChannel, OpenType Fonts, Shared Cluster Disks, Common Control Library, Local Procedure Call (LPC), Microsoft Foundation Classes (MFC), Active Template Library, Sharepoint, and Groove.

 As always, customers are advised to follow these security best practices:
 
-     Install vendor patches as soon as...

Read more
Detecting PLC Infections
Nicolas Falliere | 08 Oct 2010 21:16:56 GMT | 0 comments

In this blog, I’m going to provide extra details about the PLC infection process and how an operator can determine if their PLC is infected.   

First, recall that Stuxnet’s end-goal is the infection of particular types of Simatic PLCs. In order to achieve this goal, a Simatic DLL is replaced and acts as a proxy between the Programming Environment and the PLC devices. That DLL is able to do the following:

  • monitor communication between the PLC and the Programming Environment
  • infect PLCs
  • mask potential PLC infections

A sequence consists of malicious blocks as well as infection stubs for already existing PLC blocks; Stuxnet contains two types of sequences.

 

Sequences A & B

The first type consists of two sequences, A and B. Each contain about 20 blocks, and specifically target PLC 315-2 by having specific system data blocks. See the Dossier for more information....

Read more
W32.Stuxnet Dossier
Eric Chien | 01 Oct 2010 06:50:21 GMT | 0 comments

We’re pleased to announce that we’ve compiled the results of many weeks of fast-paced analysis of Stuxnet into a white paper entitled the W32.Stuxnet Dossier. On top of finding elements we described in the ongoing Stuxnet summer blog series, you will find all technical details about the threat’s components and data structures, as well as high level information, including:

  • Attack scenario and timeline
  • Infection statistics
  • Malware architecture
  • Description of all the exported routines
  • Injection techniques and anti-AV
  • The RPC component
  • Propagation methods
  • Command and control feature
  • The PLC infector

The paper is scheduled to be delivered at the Virus Bulletin 2010 conference and can be downloaded...

Read more