A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24303  by Patrick
 Mon Nov 10, 2014 5:52 am
Hey all,

I'm trying to take a look at Stuxnet for knowledge related purposes. My problem is nothing happens after the dropper is executed. I'm on VMware w/ XP SP2, 1 core, PAE/DEP disabled.

Here's the thread with samples I've tried.

Any ideas?
 #24322  by rinn
 Wed Nov 12, 2014 12:10 pm

AFAIK they require proper naming to launch. I don't remember already, something with ~ in the beginning.

Best Regards,
 #24325  by Patrick
 Wed Nov 12, 2014 2:30 pm
I've tried that method, which was renaming the originally named DLLs to their hardcoded .tmp names, and then starting via CMD, and it didn't work. There was no error, etc, just nothing happened.

As far as executing the various malware.exe samples I've tried go, it either does nothing at all upon execution, crashes explorer.exe upon execution and the only thing left to do is force-quit and restart explorer (failed infection), or throws an invalid Win32App error. Not sure what how to proceed. FWIW, the OS (SP2) is also entirely unpatched. No Windows Updates installed whatsoever.

Upon executing malware.exe, does there need to be an active internet connection to drop/install the rootkit components? That's the only thing I can think that I don't have in my environment right now. I have the network isolated, with no active connection.
 #24329  by rinn
 Wed Nov 12, 2014 4:02 pm

Have you tried to do this:

set your time to 2010 or so, because if I remember correctly Stuxnet had a special timebomb inside.

If it started correctly it will drop filtering driver that will hide all related malware files on FS level.

Best Regards,
 #24333  by Patrick
 Wed Nov 12, 2014 4:39 pm
Changed the date to Jan 2010, executed a malware.exe sample, and it dropped the drivers! Thanks a million, my friend.

Without you I definitely wouldn't have been able to figure that out.
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7