[sww]

Interesting links, just FYI:

Myrtus and Guava, Episode 1
Myrtus and Guava, Episode 2
Myrtus and Guava, Episode 3
Stuxnet and stolen certificates
Stuxnet signed certificates frequently asked questions
Stuxnet Memory Analysis and IOC creation

UPD1:

Distilling the W32.Stuxnet Components

[PX5]

A pile of files I collected using common names stuxnet+tmphider

http://removalhowtos.com/cm/stuxnet-tmphider.zip (27.7 MB)

Ill leave it there for a few days, sure as hell hope I remembered to add these in. :lol:

[a_d_13]

For those interested, here are four digitally signed drivers from the package that PX5 posted. Three of them are signed with a Realtek signature, and one with a JMicron digital signature. Right-clicking on a file and clicking "Properties" will allow you to view digital signature information.

Thanks,
--AD

[gjf]

Some additional link from other source :) And of course don't forget about the pioneers.

And dropper is attached. BTW exploit is already published. So will wait for more than just an industrial espionage.

[Quads]

A GMER log attached when PC is infected with stuxnet

Quads

[EP_X0FF]

As far as I know from reports, LNK vulnerability/feature is now exploiting by few different malwares (excluding Stuxnet itself).

[gjf]

As far as I know from reports, LNK vulnerability/feature is now exploiting by few different malwares (excluding Stuxnet itself).

Could you be so kind to present the list of them and the source (link to these reports)?

[EP_X0FF]

There no names currently for them. Several samples analyzed (not by me, so I can't post it there) shows downloader behavior linked with this *new* feature. They are downloading malware from network when viewing directory with LNK files. However they can be simple re-crypt of the one malware.

[gR1]

Hi guys,
I'm having trouble getting Stuxnet to actually install drivers.
I've got the .lnk file from the previously published PoC (ivanlef0u), and it's pointing to the ~WTR4141.tmp (~25Kb) file (which I've renamed to dll.dll for convenience). Opening the folder containing the files (.lnk, above mentioned .dll and ~WTR4132.tmp (~500Kb)) hides the ~WTR4132.tmp file immediately, few seconds after the .dll gets a Hidden attribute and the .lnk remains completely visible in explorer.
I've tried a few variations of the files and attempted to run it from USB (modifying the .lnk so it points correctly to the USB drive), but no luck getting the drivers installed. I can see shell32.dll in explorer warning from gmer, but that's all. Restarting explorer returns visibility to the ~WTR4132.tmp (~500Kb) file.
I'm missing something, but can't figure out what... :/
Re: .lnk vulnerability used by non-stuxnet (brief report): http://threatpost.com/en_us/blogs/new-m ... law-072310

(p.s nice to be here :))

[gjf]

~WTR4141.tmp (~25Kb) file (which I've renamed to dll.dll for convenience)

It's not clear: have you remained the original name or "dll.dll"? If the name was not original it will not perform regsvr32 operation from LNK so the installation will be incomplete.

Possibly this is the point.