[Patrick]

Hey all,

I'm trying to take a look at Stuxnet for knowledge related purposes. My problem is nothing happens after the dropper is executed. I'm on VMware w/ XP SP2, 1 core, PAE/DEP disabled.

Here's the thread with samples I've tried.

Any ideas?

[rinn]

Hello,

AFAIK they require proper naming to launch. I don't remember already, something with ~ in the beginning.

Best Regards,
-rin

[Patrick]

I've tried that method, which was renaming the originally named DLLs to their hardcoded .tmp names, and then starting via CMD, and it didn't work. There was no error, etc, just nothing happened.

As far as executing the various malware.exe samples I've tried go, it either does nothing at all upon execution, crashes explorer.exe upon execution and the only thing left to do is force-quit and restart explorer (failed infection), or throws an invalid Win32App error. Not sure what how to proceed. FWIW, the OS (SP2) is also entirely unpatched. No Windows Updates installed whatsoever.

Upon executing malware.exe, does there need to be an active internet connection to drop/install the rootkit components? That's the only thing I can think that I don't have in my environment right now. I have the network isolated, with no active connection.

[rinn]

Hi,

Have you tried to do this:

set your time to 2010 or so, because if I remember correctly Stuxnet had a special timebomb inside.

If it started correctly it will drop filtering driver that will hide all related malware files on FS level.

Best Regards,
-rin

[Patrick]

Changed the date to Jan 2010, executed a malware.exe sample, and it dropped the drivers! Thanks a million, my friend.

Without you I definitely wouldn't have been able to figure that out.