Video Screencast Help
Security Response
Showing posts tagged with W32.Stuxnet
Showing posts in English
Liam O Murchu | 29 Jul 2010 07:40:57 GMT

As we have mentioned in a previous blog W32.Stuxnet contains a complex nested structure of files and components inside.  We were interested to discover if the different samples we have seen in the wild were different variants or just modifications to the wrapper with the same components embedded. To determine if there are different variants of W32.Stuxnet we unraveled each sample in order to determine what the payload of each sample consisted of. Here we present the results of that analysis.

From the samples we have we reviewed (we have only reviewed a subset of the total samples to date) we observed 4 distinct file sizes for the installer component as shown below. As you can see although there are 4 different types of installers, the first 3 types are actually the same just with added...

Liam O Murchu | 26 Jul 2010 05:16:58 GMT

Previously in our series of blogs about Stuxnet we wrote about the installation details and the numerous files that are associated with the threat. In this installment I will discuss the network communication and command and control functionality of W32.Stuxnet. Although some of the tasks that the threat performs are automated, other tasks are performed only after the threat has connected to the command and control server and received specific instructions. It is this aspect of the threat that will be discuss here.

After the threat has installed itself, dropped its files, and gathered some information about the system it contacts the C&C server on port 80 and sends some basic information...

Vikram Thakur | 23 Jul 2010 03:52:38 GMT

We’ve been analyzing W32.Stuxnet, which is a threat that uses a legitimate digital certificate from a major third party and takes advantage of a previously unknown bug in Windows; ultimately, it searches for SCADA systems and design documents. The findings of our analysis are being documented in a series of blog articles.

Stuxnet contacts two remote servers for command and control, and until last week those domains were pointing to a server hosted in Malaysia. Once we identified those domains, we redirected traffic away from the C&C servers thereby preventing them from controlling the infected machines and retrieving stolen information.

Within the past 72 hours we've seen close to 14,000...

Liam O Murchu | 22 Jul 2010 07:39:09 GMT

Previously, I blogged about the installation control flow used by W32.Stuxnet. In this blog I would like to discuss the complexity of the threat a little further and particularly focus on the amount of different files used by the threat and the purpose of each of those files, along with which files are signed and which are not.

The main payload of the threat is a UPX packed .dll file that is contained in an encoded fashion inside one of the files that reside on an infected removable drive. When this UPX .dll file is decoded and unpacked it can be seen to contain many other files within itself as outlined below.

The packed UPX .dll file contains 13 different resources, these resources consist of various different...

Patrick Fitzgerald | 21 Jul 2010 18:19:05 GMT

W32.Stuxnet has received a lot of media attention over the last few days. This incident provides almost a complete case study of how these attacks succeed and how they will probably be used in the future. A successful attack allowed the attacker to steal confidential SCADA design and usage documents.

Let’s start by saying we don’t know who is behind the attack, and historically discovering this is very rare. However, if someone proposed this type of attack a month ago, while we would have agreed it was theoretically possible, most would have dismissed such an attack as a movie-plot scenario. Furthermore, attacks of this nature are rarely disclosed publicly.

We know that the people behind this attack aren’t amateurs, but their final motive is unclear.

The principal facts in this case are:

  • The attackers discovered and used a zero-day vulnerability affecting all versions of Microsoft Windows.
  • They developed and...
Liam O Murchu | 21 Jul 2010 02:39:04 GMT

I’d like to address the control flow used by W32.Stuxnet. The threat has been gaining some attention due to the fact that it uses a currently unpatched Microsoft vulnerability to spread through removable drives but there are other interesting and novel aspects of the threat that I would like to highlight here.

The following files are present on infected removable drives:

  • Copy of Shortcut to.lnk
  • Copy of Copy of Shortcut to.lnk
  • Copy of Copy of Copy of Shortcut to.lnk
  • Copy of Copy of Copy of Copy of Shortcut to.lnk

These files exploit the currently unpatched Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732).

Infected removable drives also contain the following files:

  • ~...
Symantec Security Response | 16 Jul 2010 22:05:04 GMT

Update: The infection figures below were produced using telemetry data generated by Symantec products, and are therefore weighted towards countries with a larger Symantec install base. For more comprehensive and up-to-date infection figures, generated from traffic going directly to W32.Stuxnet command and control servers, please see our blog from July 22 or our W32.Stuxnet whitepaper.

We have received some queries recently regarding the new rootkit threat being called “Tmphider" or "Stuxnet.” This threat, discovered recently, has been garnering some attention due to the fact that it uses a previously unseen technique to spread via USB drives—among other interesting features. We have compiled some of the questions we have been...