[Alex]

W32.Stuxnet Dossier (Septermber 2010, version 1.0)

Does anyone of you have a fresh dropper of Stuxnet?

[EP_X0FF]

I don't think they exists.

[Alex]

All in all I don't need dropper or dropped files if they are available, I just would like to know something more about the 0-day vulnerability of win32k used by Stuxnet...

[Jaxryley]

Some additional link from other source :) And of course don't forget about the pioneers.

And dropper is attached. BTW exploit is already published. So will wait for more than just an industrial espionage.

Ran the sample attached to the above post, winsta.exe then ran the Stuxnet Removal tool and grabbed the flagged droppers.

mdmcpq3.PNF - 0/42
http://www.virustotal.com/file-scan/rep ... 1286023530

mdmeric3.PNF - 0/42
http://www.virustotal.com/file-scan/rep ... 1286023534

oem6C.PNF - 1/42
http://www.virustotal.com/file-scan/rep ... 1286023547

oem7A.PNF - 7/43
http://www.virustotal.com/file-scan/rep ... 1286023562

mrxcls.sys - 42/43
http://www.virustotal.com/file-scan/rep ... 1286023560

mrxnet.sys - 42/43
http://www.virustotal.com/file-scan/rep ... 1286023564

Stuxnet.rar

(1.3 MiB) Downloaded 643 times

Stux.JPG (42.23 KiB) Viewed 633 times

[shaheen]

Was any body able to get sample of Stuxnet worm that will work via .lnk exploit from a USB? I have the smples but they will not execute.

Thanks for the help.

[nullptr]

Just found this in my collection - if it's already been posted, then this post will self destruct.
md5 - 74DDC49A7C121A61B8D06C03F92D0C13
sha-1 - 0CCBC128DD8BF73DC7B3922FB67D26BBCDBCAA89

[Jaxryley]

The sample above is the same size as winsta.exe but packed slightly different and drops the same.

[shaheen]

The dropper installs the rootkit but sadly it doesn,t infect my USB. I want my USB to be infected.

[CloneRanger]

Originally Posted by Alex

"I just would like to know something more about the 0-day vulnerability of win32k used by Stuxnet"

Out of the 4 vulnerabilities it attempted to use, these 2 are sort of hush hush right now - Win32k.sys Vulnerability and the Task Scheduler vulnerability. But someone on here must know, i would have thought ;)

(When the process does not have Adminstrator rights on the system it will try to attain these privileges by using one of two zero-day escalation of privilege attacks. The attack vector used is based on the operating system of the compromised computer. If the operating system is Windows Vista, Windows 7, or Windows Server 2008 R2 the currently undisclosed Task Scheduler Escalation of Privilege vulnerability is exploited. If the operating system is Windows XP the currently undisclosed win32k.sys escalation of privilege vulnerability is exploited.

If exploited, both of these vulnerabilities result in the main .dll file running as a new process, either within the csrss.exe process in the case of the win32k.sys vulnerability or as a new task with Adminstrator rights in the case of the Task Scheduler vulnerability.

The code to exploit the win32k.sys vulnerability is stored in resource 250. Details of the Win32k.sys Vulnerability and the Task Scheduler vulnerability currently are not released as patches are not yet available.)

http://www.symantec.com/content/en/us/e ... ossier.pdf

Originally Posted by shaheen

"I want my USB to be infected"

A couple of things to note !

1 - Your USB needs to be a U3 type for it to work, not just a Flash memory type.

2 - If your comp has been updated with the MS patch, or another vendors Fix, it won't work. If so you might be able to remove it to test.

[shaheen]

1- Are you sure about this? I never read it to be condition.

2- My test system was not patched.