Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with W32.Stuxnet
Showing posts in English
W32.Stuxnet – Network Operations
Liam O Murchu | 26 Jul 2010 05:16:58 GMT | 0 comments

Previously in our series of blogs about Stuxnet we wrote about the installation details and the numerous files that are associated with the threat. In this installment I will discuss the network communication and command and control functionality of W32.Stuxnet. Although some of the tasks that the threat performs are automated, other tasks are performed only after the threat has connected to the command and control server and received specific instructions. It is this aspect of the threat that will be discuss here.

After the threat has installed itself, dropped its files, and gathered some information about the system it contacts the C&C server on port 80 and sends some basic information...

Read more
W32.Stuxnet — Network Information
Vikram Thakur | 23 Jul 2010 03:52:38 GMT | 0 comments

We’ve been analyzing W32.Stuxnet, which is a threat that uses a legitimate digital certificate from a major third party and takes advantage of a previously unknown bug in Windows; ultimately, it searches for SCADA systems and design documents. The findings of our analysis are being documented in a series of blog articles.

Stuxnet contacts two remote servers for command and control, and until last week those domains were pointing to a server hosted in Malaysia. Once we identified those domains, we redirected traffic away from the C&C servers thereby preventing them from controlling the infected machines and retrieving stolen information.

Within the past 72 hours we've seen close to 14,000...

Read more
Distilling the W32.Stuxnet Components
Liam O Murchu | 22 Jul 2010 07:39:09 GMT | 0 comments

Previously, I blogged about the installation control flow used by W32.Stuxnet. In this blog I would like to discuss the complexity of the threat a little further and particularly focus on the amount of different files used by the threat and the purpose of each of those files, along with which files are signed and which are not.

The main payload of the threat is a UPX packed .dll file that is contained in an encoded fashion inside one of the files that reside on an infected removable drive. When this UPX .dll file is decoded and unpacked it can be seen to contain many other files within itself as outlined below.

The packed UPX .dll file contains 13 different resources, these resources consist of various different...

Read more
The Hackers Behind Stuxnet
Patrick Fitzgerald | 21 Jul 2010 18:19:05 GMT | 0 comments

W32.Stuxnet has received a lot of media attention over the last few days. This incident provides almost a complete case study of how these attacks succeed and how they will probably be used in the future. A successful attack allowed the attacker to steal confidential SCADA design and usage documents.

Let’s start by saying we don’t know who is behind the attack, and historically discovering this is very rare. However, if someone proposed this type of attack a month ago, while we would have agreed it was theoretically possible, most would have dismissed such an attack as a movie-plot scenario. Furthermore, attacks of this nature are rarely disclosed publicly.

We know that the people behind this attack aren’t amateurs, but their final motive is unclear.

The principal facts in this case are:

  • The attackers discovered and used a zero-day...
Read more
W32.Stuxnet Installation Details
Liam O Murchu | 21 Jul 2010 02:39:04 GMT | 0 comments

I’d like to address the control flow used by W32.Stuxnet. The threat has been gaining some attention due to the fact that it uses a currently unpatched Microsoft vulnerability to spread through removable drives but there are other interesting and novel aspects of the threat that I would like to highlight here.

The following files are present on infected removable drives:

  • Copy of Shortcut to.lnk
  • Copy of Copy of Shortcut to.lnk
  • Copy of Copy of Copy of Shortcut to.lnk
  • Copy of Copy of Copy of Copy of Shortcut to.lnk

These files exploit the currently unpatched Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732).

Infected removable drives also contain the following files:

  • ~WTR4141.tmp (~...
Read more
W32.Stuxnet – Commonly Asked Questions
Symantec Security Response | 16 Jul 2010 22:05:04 GMT | 0 comments

Update: The infection figures below were produced using telemetry data generated by Symantec products, and are therefore weighted towards countries with a larger Symantec install base. For more comprehensive and up-to-date infection figures, generated from traffic going directly to W32.Stuxnet command and control servers, please see our blog from July 22 or our W32.Stuxnet whitepaper.

We have received some queries recently regarding the new rootkit threat being called “Tmphider" or "Stuxnet.” This threat, discovered recently, has been garnering some attention due to the fact that it uses a previously unseen technique to spread via USB drives—among other interesting features. We have compiled some of the questions we have been...

Read more