A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1644  by a_d_13
 Thu Jul 22, 2010 1:10 pm
For those interested, here are four digitally signed drivers from the package that PX5 posted. Three of them are signed with a Realtek signature, and one with a JMicron digital signature. Right-clicking on a file and clicking "Properties" will allow you to view digital signature information.

Thanks,
--AD
Attachments
Pass: infected
(53.06 KiB) Downloaded 250 times
 #1647  by gjf
 Thu Jul 22, 2010 5:00 pm
Some additional link from other source :) And of course don't forget about the pioneers.

And dropper is attached. BTW exploit is already published. So will wait for more than just an industrial espionage.
Attachments
Pass is virus
(499.47 KiB) Downloaded 330 times
Last edited by gjf on Fri Jul 23, 2010 1:23 pm, edited 1 time in total.
 #1654  by Quads
 Fri Jul 23, 2010 1:10 am
A GMER log attached when PC is infected with stuxnet

Quads
Attachments
(11.52 KiB) Downloaded 206 times
 #1656  by EP_X0FF
 Fri Jul 23, 2010 3:13 pm
As far as I know from reports, LNK vulnerability/feature is now exploiting by few different malwares (excluding Stuxnet itself).
 #1657  by gjf
 Fri Jul 23, 2010 3:28 pm
EP_X0FF wrote:As far as I know from reports, LNK vulnerability/feature is now exploiting by few different malwares (excluding Stuxnet itself).
Could you be so kind to present the list of them and the source (link to these reports)?
 #1658  by EP_X0FF
 Fri Jul 23, 2010 3:31 pm
There no names currently for them. Several samples analyzed (not by me, so I can't post it there) shows downloader behavior linked with this *new* feature. They are downloading malware from network when viewing directory with LNK files. However they can be simple re-crypt of the one malware.
 #1659  by gR1
 Fri Jul 23, 2010 5:10 pm
Hi guys,
I'm having trouble getting Stuxnet to actually install drivers.
I've got the .lnk file from the previously published PoC (ivanlef0u), and it's pointing to the ~WTR4141.tmp (~25Kb) file (which I've renamed to dll.dll for convenience). Opening the folder containing the files (.lnk, above mentioned .dll and ~WTR4132.tmp (~500Kb)) hides the ~WTR4132.tmp file immediately, few seconds after the .dll gets a Hidden attribute and the .lnk remains completely visible in explorer.
I've tried a few variations of the files and attempted to run it from USB (modifying the .lnk so it points correctly to the USB drive), but no luck getting the drivers installed. I can see shell32.dll in explorer warning from gmer, but that's all. Restarting explorer returns visibility to the ~WTR4132.tmp (~500Kb) file.
I'm missing something, but can't figure out what... :/
Re: .lnk vulnerability used by non-stuxnet (brief report): http://threatpost.com/en_us/blogs/new-m ... law-072310

(p.s nice to be here :))
 #1660  by gjf
 Fri Jul 23, 2010 5:31 pm
gR1 wrote: ~WTR4141.tmp (~25Kb) file (which I've renamed to dll.dll for convenience)
It's not clear: have you remained the original name or "dll.dll"? If the name was not original it will not perform regsvr32 operation from LNK so the installation will be incomplete.

Possibly this is the point.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7