Video Screencast Help
Security Response
Showing posts tagged with W32.Stuxnet
Showing posts in English
Eric Chien | 01 Oct 2010 06:50:21 GMT

We’re pleased to announce that we’ve compiled the results of many weeks of fast-paced analysis of Stuxnet into a white paper entitled the W32.Stuxnet Dossier. On top of finding elements we described in the ongoing Stuxnet summer blog series, you will find all technical details about the threat’s components and data structures, as well as high level information, including:

  • Attack scenario and timeline
  • Infection statistics
  • Malware architecture
  • Description of all the exported routines
  • Injection techniques and anti-AV
  • The RPC component
  • Propagation methods
  • Command and control feature
  • The PLC infector

The paper is scheduled to be delivered at the Virus Bulletin 2010 conference and can be downloaded...

Nicolas Falliere | 27 Sep 2010 02:16:56 GMT

Previous blog entries have covered several different Stuxnet propagation vectors, from autorun.inf tricks to zero-day vulnerabilities. Our research has also uncovered another method of propagation that impacts Step7 project folders, causing one to unknowingly become infected when opening an infected project folder that may have originated from a third party.

The structure of a Step7 project folder is as follows:

ApiLog\...
CONN\...
Global\...
hOmSave7\...
XUTILS\...
XUTILS\listen\...
XUTILS\links\...
...
<projectname>.s7p
...

Stuxnet monitors Step7 projects (.S7P files) being worked on by hooking...

Liam O Murchu | 24 Sep 2010 08:42:33 GMT

Code to exploit the zero-day .lnk file vulnerability (BID 43073) used by Stuxnet was added to the threat around March 2010; we know this because the samples we observed before this date did not contain code to exploit that vulnerability. This leads us to the following question: how did previous Stuxnet variants spread through removable devices?

 
The answer is that older versions did not use a vulnerability but instead an AutoRun trick to spread. The worm’s trick was to create an autorun.inf file in the root of removable drives that served two different purposes. The specially crafted file could be interpreted as either an executable file or as a correctly formatted autorun.inf file. When Windows parses autorun.inf files the parsing is quite forgiving. Specifically, any characters that...
Nicolas Falliere | 22 Sep 2010 06:58:20 GMT

We first mentioned that W32.Stuxnet targets industrial control systems (ICSs) -- such as those used in pipelines or nuclear power plants -- 2 months ago in our blog here and gave some more technical details here.

While we are going to include all of the technical details in a paper to be released at the Virus Bulletin Conference on September 29th, in recent days there has been significant interest in the process through which Stuxnet is able to infect a system and remain undetected.

Because Stuxnet targets a specific ICS, observing its behavior on a test system can be misleading, as the vast...

Fergal Ladley | 21 Sep 2010 22:30:43 GMT

Back in July we saw the Stuxnet worm targeting industrial control systems. The Stuxnet authors stole the digital signatures of two Taiwanese chip makers and used them on the rootkit employed by the worm. Just how they were getting their hands on the private keys needed to steal the signatures remains a missing piece of the Stuxnet puzzle.

In order to digitally sign a binary you must have a private key. If attackers can gain possession of the key they can steal the key owner’s signature; therefore, the owner of the private key should ensure that it remains private. Somehow, these private keys were stolen and used by the Stuxnet authors to sign the rootkit in order to ensure that it would be loaded by Windows Vista and Windows 7.

Obtaining a private key for a digital certificate may not be as difficult as one imagines. Infostealer.Nimkey is an example of a threat that...

Liam O Murchu | 18 Sep 2010 04:29:21 GMT

We have been made aware of a recent blog posting pointing to the fact that the print spooler vulnerability used by W32.Stuxnet and addressed in the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability was in fact known about since 2009. An article was published in a security magazine that showed how the vulnerability worked in late 2009. We are currently investigating this; however, from our initial review of that article it appears to do exactly what Stuxnet does when exploiting the Print Spooler vulnerability. We will update this article with more information shortly.

Update: We have confirmed with Microsoft that this issue is indeed one that was patched with the release of ...

Liam O Murchu | 18 Sep 2010 02:45:36 GMT

Our analysis of Stuxnet has been ongoing for some time now, although we have not posted any information on our blog about it we have been continuously analyzing the threat since it was discovered earlier this year. Initial investigation into the threat pointed to a command and control infrastructure as the method to control the threat.  The command and control servers used were taken offline shortly after this control mechanism was discovered.

Our continued research has revealed that as well as being controlled via a command and control infrastructure, the threat also has the ability to update itself via a peer-to-peer component.

Infected machines contact each other and check which machine has the latest version of the threat installed. Whichever machine has the latest version transfers it to the other machine and in this way the worm is able to update itself without contacting a central command and control server. P2P networks are often used for the very...

Liam O Murchu | 14 Sep 2010 19:12:29 GMT

Our continued analysis of W32.Stuxnet has revealed a total of four zero-day vulnerabilities being used by the threat. We have already discussed the .lnk file vulnerability that Stuxnet uses to spread through USB drives here. Further investigations have revealed that Stuxnet uses one additional remote code execution vulnerability as well as two local privilege escalation vulnerabilities. We reported these vulnerabilities to Microsoft and today Microsoft has released a patch for the Print Spooler (CVE-2010-2729) remote code execution vulnerability. Microsoft is investigating both local elevation of privilege vulnerabilities and has confirmed that they do intend to address them in a future security bulletin.

We have already released signatures for the Print Spooler vulnerability; customers...

Nicolas Falliere | 06 Aug 2010 19:01:51 GMT

As we’ve explained in our recent W32.Stuxnet blog series, Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems. Industrial control systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. Programmers use software (e.g., on a Windows PC) to create code and then upload their code to the PLCs.

Previously, we reported that Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own...

khaley | 05 Aug 2010 17:03:25 GMT

Who would have thought that in 2010 we would have an attack based on—wait for it—sneakernet. The latest high-profile example of this is W32.Stuxnet. In the hoopla over some of the more racier aspects of Stuxnet, this part is being ignored. And I don’t think it should be. We’ve been tracking the growing usage of this attack vector (USB thumb drives and the like being shared between computers) for years. In 2009, 72% of malicious code samples causing potential infections propagated using this mechanism, as discussed in the Symantec Internet Security Threat Report, Vol. XV. Why? Because it works. Nothing proved that more than...