Stuxnet case

Forum for analysis and discussion about malware.

Stuxnet case

Postby sww » Thu Jul 22, 2010 9:18 am

WBR
SWW

-->Virii Cthulhu has you<--
sww
 
Posts: 36
Joined: Sun Mar 14, 2010 9:35 pm
Location: Russian Federation
Reputation point: 17

Re: Stuxnet case

Postby PX5 » Thu Jul 22, 2010 12:43 pm

A pile of files I collected using common names stuxnet+tmphider

http://removalhowtos.com/cm/stuxnet-tmphider.zip (27.7 MB)

Ill leave it there for a few days, sure as hell hope I remembered to add these in. :lol:
Arrogance led me to my Ignorance
PX5
 
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am
Reputation point: 53

Re: Stuxnet case

Postby a_d_13 » Thu Jul 22, 2010 1:10 pm

For those interested, here are four digitally signed drivers from the package that PX5 posted. Three of them are signed with a Realtek signature, and one with a JMicron digital signature. Right-clicking on a file and clicking "Properties" will allow you to view digital signature information.

Thanks,
--AD
You do not have the required permissions to view the files attached to this post.
a_d_13
Site Admin
 
Posts: 393
Joined: Sun Mar 07, 2010 3:31 am
Reputation point: 106

Re: Stuxnet case

Postby gjf » Thu Jul 22, 2010 5:00 pm

Some additional link from other source :) And of course don't forget about the pioneers.

And dropper is attached. BTW exploit is already published. So will wait for more than just an industrial espionage.
You do not have the required permissions to view the files attached to this post.
Last edited by gjf on Fri Jul 23, 2010 1:23 pm, edited 1 time in total.
VirusInfo / Defendium / SafeZone Helpers Crew
User avatar
gjf
 
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Reputation point: 26

Re: Stuxnet case

Postby Quads » Fri Jul 23, 2010 1:10 am

A GMER log attached when PC is infected with stuxnet

Quads
You do not have the required permissions to view the files attached to this post.
Quads
 
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand
Reputation point: 22

Re: Stuxnet case

Postby EP_X0FF » Fri Jul 23, 2010 3:13 pm

As far as I know from reports, LNK vulnerability/feature is now exploiting by few different malwares (excluding Stuxnet itself).
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Stuxnet case

Postby gjf » Fri Jul 23, 2010 3:28 pm

EP_X0FF wrote:As far as I know from reports, LNK vulnerability/feature is now exploiting by few different malwares (excluding Stuxnet itself).

Could you be so kind to present the list of them and the source (link to these reports)?
VirusInfo / Defendium / SafeZone Helpers Crew
User avatar
gjf
 
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Reputation point: 26

Re: Stuxnet case

Postby EP_X0FF » Fri Jul 23, 2010 3:31 pm

There no names currently for them. Several samples analyzed (not by me, so I can't post it there) shows downloader behavior linked with this *new* feature. They are downloading malware from network when viewing directory with LNK files. However they can be simple re-crypt of the one malware.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Stuxnet case

Postby gR1 » Fri Jul 23, 2010 5:10 pm

Hi guys,
I'm having trouble getting Stuxnet to actually install drivers.
I've got the .lnk file from the previously published PoC (ivanlef0u), and it's pointing to the ~WTR4141.tmp (~25Kb) file (which I've renamed to dll.dll for convenience). Opening the folder containing the files (.lnk, above mentioned .dll and ~WTR4132.tmp (~500Kb)) hides the ~WTR4132.tmp file immediately, few seconds after the .dll gets a Hidden attribute and the .lnk remains completely visible in explorer.
I've tried a few variations of the files and attempted to run it from USB (modifying the .lnk so it points correctly to the USB drive), but no luck getting the drivers installed. I can see shell32.dll in explorer warning from gmer, but that's all. Restarting explorer returns visibility to the ~WTR4132.tmp (~500Kb) file.
I'm missing something, but can't figure out what... :/
Re: .lnk vulnerability used by non-stuxnet (brief report): http://threatpost.com/en_us/blogs/new-m ... law-072310

(p.s nice to be here :))
gR1
 
Posts: 5
Joined: Fri Jul 23, 2010 4:07 pm
Reputation point: 2

Re: Stuxnet case

Postby gjf » Fri Jul 23, 2010 5:31 pm

gR1 wrote: ~WTR4141.tmp (~25Kb) file (which I've renamed to dll.dll for convenience)

It's not clear: have you remained the original name or "dll.dll"? If the name was not original it will not perform regsvr32 operation from LNK so the installation will be incomplete.

Possibly this is the point.
VirusInfo / Defendium / SafeZone Helpers Crew
User avatar
gjf
 
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Reputation point: 26

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 11 guests