A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2911  by EP_X0FF
 Fri Oct 01, 2010 3:25 pm
I don't think they exists.
 #2915  by Alex
 Sat Oct 02, 2010 7:47 am
All in all I don't need dropper or dropped files if they are available, I just would like to know something more about the 0-day vulnerability of win32k used by Stuxnet...
 #2917  by Jaxryley
 Sat Oct 02, 2010 12:59 pm
gjf wrote:Some additional link from other source :) And of course don't forget about the pioneers.

And dropper is attached. BTW exploit is already published. So will wait for more than just an industrial espionage.
Ran the sample attached to the above post, winsta.exe then ran the Stuxnet Removal tool and grabbed the flagged droppers.

mdmcpq3.PNF - 0/42
http://www.virustotal.com/file-scan/rep ... 1286023530

mdmeric3.PNF - 0/42
http://www.virustotal.com/file-scan/rep ... 1286023534

oem6C.PNF - 1/42
http://www.virustotal.com/file-scan/rep ... 1286023547

oem7A.PNF - 7/43
http://www.virustotal.com/file-scan/rep ... 1286023562

mrxcls.sys - 42/43
http://www.virustotal.com/file-scan/rep ... 1286023560

mrxnet.sys - 42/43
http://www.virustotal.com/file-scan/rep ... 1286023564
(1.3 MiB) Downloaded 643 times
Stux.JPG (42.23 KiB) Viewed 633 times
 #2935  by shaheen
 Tue Oct 05, 2010 10:45 am
Was any body able to get sample of Stuxnet worm that will work via .lnk exploit from a USB? I have the smples but they will not execute.

Thanks for the help.
 #2936  by nullptr
 Tue Oct 05, 2010 1:43 pm
Just found this in my collection - if it's already been posted, then this post will self destruct.
md5 - 74DDC49A7C121A61B8D06C03F92D0C13
sha-1 - 0CCBC128DD8BF73DC7B3922FB67D26BBCDBCAA89
password: malware
(496.25 KiB) Downloaded 146 times
 #2937  by Jaxryley
 Tue Oct 05, 2010 11:48 pm
The sample above is the same size as winsta.exe but packed slightly different and drops the same.
 #2938  by shaheen
 Wed Oct 06, 2010 1:03 am
The dropper installs the rootkit but sadly it doesn,t infect my USB. I want my USB to be infected.
 #2945  by CloneRanger
 Wed Oct 06, 2010 2:20 pm
Originally Posted by Alex

"I just would like to know something more about the 0-day vulnerability of win32k used by Stuxnet"
Out of the 4 vulnerabilities it attempted to use, these 2 are sort of hush hush right now - Win32k.sys Vulnerability and the Task Scheduler vulnerability. But someone on here must know, i would have thought ;)
(When the process does not have Adminstrator rights on the system it will try to attain these privileges by using one of two zero-day escalation of privilege attacks. The attack vector used is based on the operating system of the compromised computer. If the operating system is Windows Vista, Windows 7, or Windows Server 2008 R2 the currently undisclosed Task Scheduler Escalation of Privilege vulnerability is exploited. If the operating system is Windows XP the currently undisclosed win32k.sys escalation of privilege vulnerability is exploited.

If exploited, both of these vulnerabilities result in the main .dll file running as a new process, either within the csrss.exe process in the case of the win32k.sys vulnerability or as a new task with Adminstrator rights in the case of the Task Scheduler vulnerability.

The code to exploit the win32k.sys vulnerability is stored in resource 250. Details of the Win32k.sys Vulnerability and the Task Scheduler vulnerability currently are not released as patches are not yet available.)

http://www.symantec.com/content/en/us/e ... ossier.pdf
Originally Posted by shaheen

"I want my USB to be infected"
A couple of things to note !

1 - Your USB needs to be a U3 type for it to work, not just a Flash memory type.

2 - If your comp has been updated with the MS patch, or another vendors Fix, it won't work. If so you might be able to remove it to test.
 #2962  by shaheen
 Thu Oct 07, 2010 9:39 pm
1- Are you sure about this? I never read it to be condition.

2- My test system was not patched.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7