Rootkit.TmpHider

[CloneRanger]

Quote:

Sality goes LNK

The Sality gang didn’t waste much time and jumped on the bandwagon in the early days of August. However, it seems that it was only this past weekend that they decided to leverage their botnet to potentially infect even more computers. The latest package downloaded by Sality (sequence ID 122) refers to a few URLs, including Sality-standard hack tools (mail relay, HTTP proxy), but also to a dropper for Sality itself.

*

Fortunately, the fact that Microsoft published the patch last week should severely impede the effectiveness of this attack.

http://www.symantec.com/connect/fr/b...ality-goes-lnk

Interesting they only say "impede"

Seems like the Sality gang did waste time, and launched the latest nasties after the patch was released I suppose they are "Banking" on some people not being updated, as indeed they won't be

[MrBrian]

From Stuxnet could hijack power plants, refineries:

Quote:

The malware, which made headlines in July, is written to steal code and design projects from databases inside systems found to be running Siemens Simatic WinCC software used to control systems such as industrial manufacturing and utilities. The Stuxnet software also has been found to upload its own encrypted code to the Programmable Logic Controllers (PLCs) that control the automation of industrial processes and which are accessed by Windows PCs. It's unclear at this point what the code does, O'Murchu said.

An attacker could use the back door to remotely do any number of things on the computer, like download files, execute processes, and delete files, but an attacker could also conceivably interfere with critical operations of a plant to do things like close valves and shut off output systems, according to O'Murchu.

[CloneRanger]

Quote:

Can you say bad path?

There has been a lot of talk about the recent .LNK exploit so naturally I had to play with some shortcuts in a hex editor. Turns out that explorer seems to trust whatever content is in the ItemIdList!

https://windowssucks.wordpress.com/2...u-say-bad-path

.....

Quote:

ITEMIDLIST Structure

http://msdn.microsoft.com/en-us/library/bb773321.aspx

[Malcontent]

http://www.technewsworld.com/story/S...orm-70622.html

Quote:

Security researchers are scratching their heads trying to determine the origin of the Stuxnet worm, a piece of malware that targets large industrial control systems. Judging by the way it's constructed, the information it targets and some of the organizations that have been hit, the worm may have been created by a national government. Others, however, have their doubts.

[CloneRanger]

False SCADA attack from 2009 turns into Real ones over a year later. I wonder if the Stuxnet coders got the idea from this ?

Quote:

Let’s begin with a straightforward statement. McAfee expert Francois Paget got duped by a YouTube video, he went “nutty professor,” and he wrote a hysterical blog about it on McAfee’s official website

http://vmyths.com/2009/05/28/mcafee-2

Quote:

The McAfee blog

Urban ‘Attack’ on Infrastructure Friday May 22, 2009 at 6:59 am - http://www.avertlabs.com/research/bl...infrastructure

The video is funny -http://www.youtube.com/watch?v=0L7DTMKekoU&feature=player_embedded-

[MrBrian]

From Stuxnet attackers used 4 Windows zero-day exploits:

Quote:

The attackers behind the recent Stuxnet worm attack used four different zero-day security vulnerabilities to burrow into — and spread around — Microsoft’s Windows operating system, according to a startling disclosure from the world’s largest software maker.

Quote:

The malware also exploited two different elevation of privilege holes to gain complete control over the affected system. These two flaws are still unpatched.

[CloneRanger]

@ MrBrian

Thanks for the update

So it's a lot worse than we initially realised, and 2 critical holes still wide open I expect other nasties will try and and make use of them soon, if they havn't already.

[CloneRanger]

Stuxnet revelations

Sounds and looks like we are getting closer to discovering a lot more about the what/who/why and Stuxnet

Secret agents, double agents, espoinage, war by proxy etc etc. And it's not exactly a surprise to find out who the baddies are behind all of this Amazed yes at their continued illegal activities both where they live and around the world, but not suprised. It'll be very interesting to see what the rest of the worlds goverments have to say about it, and "IF" they even propose ANY condemnation etc, let alone any punishment/sanctions.

Quote:

Originally Posted by EP_X0FF

Well it is not surprise and not secret anymore.
Stuxnet is (c) Mossad and it's main target was atomic plant in Busher, Iran.

http://www.kernelmode.info/forum/vie...3f0cc&start=10

I posted earlier about the the fact that the Iranians had discovered this malware in their SCADA systems.

Latest Seimens update is now 15 systems infected worldwide - http://support.automation.siemens.co...83&caller=view

Quote:

Stuxnet is a directed attack against a specific control system installation. Langner will disclose details, including forensic evidence, next week at Joe Weiss' conference in Rockville.

2. The attack involves heavy insider knowledge.

http://www.langner.com/en/index.htm

[MrBrian]

Is Stuxnet the 'best' malware ever?

[aigle]

just a wild idea in my mind since i read about this malware. Doesn't .lnk exploit seems a back door intentionally left by MS and somehow revealed open to the world.

[CloneRanger]

@ aigle

Quote:

just a wild idea in my mind since i read about this malware. Doesn't .lnk exploit seems a back door intentionally left by MS and somehow revealed open to the world.

Not so wild, but will we ever know for sure ? At least we have that vector blocked now Funny, sometimes good things can come from malware

***********************

The plot thickens

Quote:

Originally Posted by EP_X0FF

And everything was told one year ago

http://www.kernelmode.info/forum/vie...t=233&start=20

[CloneRanger]

More conformation

Quote:

Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world," says Langner

*

So far, Stuxnet has infected at least 45,000 industrial control systems around the world

http://news.yahoo.com/s/csm/327178

Thanks to ratchet for the above link from here - http://www.wilderssecurity.com/showthread.php?t=282674

Strange ! Seimens says still only 15

Quote:

Latest news on the infected computers:
To date, we know of 15 systems infected worldwide

http://support.automation.siemens.co...83&caller=view

Quote:

Stuxnet logbook, Sep 21 2010, 1200 hours MESZ

Ralph's analysis, part 2

http://www.langner.com/en/index.htm

Quote:

While we are going to include all of the technical details in a paper to be released at the Virus Bulletin Conference on September 29th, in recent days there has been significant interest in the process through which Stuxnet is able to infect a system and remain undetected.

http://www.symantec.com/connect/blog...ection-process

*

EDIT

The best way to eliminate ALL signs of Stuxnet on Irans system/s would be to reinstall a fresh copy of SCADA on a new HD. Then swap over to that and destroy the previous one, or even better, keep it as evidence for industrial espionage

[culla]

i'm completely protected under my tin foil hat

[ronjor]

Quote:

ESET Stuxnet Paper

By David Harley

The Stuxnet saga rolls on. And while a lot of talented people have been poring over the code for a while, some questions are still unresolved at this time, despite all the coverage..

http://blog.eset.com/2010/09/23/eset-stuxnet-paper

[Searching_ _ _]

The direction the world is going is right on track where it should be, don't worry for it's current direction, just prepare.

Ants are wise. The Ant doesn't listen to rumors, but continually puts extra into storage. Because the Ant learned that difficulties do come and they don't waste the energy debating when they will come. The Ant prepares.

Cool article Ronjor.

[CloneRanger]

Stuxnet C&C investigation

I'm not sure what to make of all this, so please chip in with your thoughts etc. Remember i'm not an expert, just tried to do some background digging

www.mypremierfutbol.com & www.todaysfutbol.com = http://www.annerinternational.com = Gone

Quote:

Anner Media Group
50 Upper Mount Street
Dublin 2
Ireland

http://www.4rfv.co.uk/brieflisting.a...&company=13303

Quote:

14 Mar 2006 Anner Media Group goes into recievership

The Irish entertainment business was reeling today with the news that the Anner Media Group had gone into receivership.

http://www.hotpress.com/archive/2854995.html

www.mypremierfutbol.com & www.todaysfutbol.com = Both still live but appear dead !

So has the Stuxnet bad people taken over those www's by legit means, or highjacked them ? Strange that Anner who went out of business in 2006 is listed as the owners of those www's ?

Quote:

Server details:

Sites at the same IP address include: 78.111.169.146

Sites on the same network include: 78.111.169.0/24

http://www.webboar.com/www/mypremierfutbol.com#ip

78.111.169.146 & 78.111.169.0/24 = Could not find a domain name corresponding to this IP address.

Network Operation Center
Zen Systems ApS
Esromgade 15, 1 - 3. sal
DK-2200 København N
Denmark

TODAYSFUTBOL.COM IP: 211.24.237.226
The IP belongs to ISP TIME TELECOMMUNICATIONS SDN BHD
ISP domain: TIME.NET.MY
Location information:
Country: MALAYSIA

http://www.webboar.com/www/todaysfutbol.com

http://www.mypremierfutbol.com/index...a=data_to_send is the upload channel for Stuxnet, or one of them anyway, or was.

I got the www's from this excellent article, that ronjor linked to.

Quote:

Stuxnet Under the Microscope

http://www.eset.com/resources/white-...Microscope.pdf

[tgell]

Sorry if this article has already been referenced in this thread:

Software smart bomb fired at Iranian nuclear plant: experts

Quote:

SAN FRANCISCO (AFP) – Computer security experts are studying a scary new cyber weapon: a software smart bomb that may have been crafted to find and sabotage a nuclear facility in Iran.

The software saboteur has been found lurking on systems in India, Indonesia, Pakistan and elsewhere, but the heaviest infiltration appeared to be in Iran, according to software security researchers.

"This was assembled by a highly qualified team of experts, involving some with specific control system expertise," Langner said.

"This is not some hacker sitting in the basement of his parents' house. The resources needed to stage this attack point to a nation state."

Article

[CloneRanger]

Stuxnet Before the .lnk File Vulnerability

Quote:

Code to exploit the zero-day .lnk file vulnerability (BID 43073) used by Stuxnet was added to the threat around March 2010; we know this because the samples we observed before this date did not contain code to exploit that vulnerability. This leads us to the following question: how did previous Stuxnet variants spread through removable devices?

The answer is that older versions did not use a vulnerability but instead an AutoRun trick to spread.

*

This is just one little surprise of the many that Stuxnet has held for us. We predict that there are probably a few more still left within this threat…

http://www.symantec.com/connect/blog...-vulnerability

Many more articles here - http://www.symantec.com/connect/blog-tags/w32stuxnet

[CloneRanger]

Quote:

Tehran confirms its industrial computers under Stuxnet virus attack

DEBKAfile Exclusive Report September 25, 2010
Tags: Stuxnet cyber war on Iran US-Israel
Iran is first nation to admit to being victim of cyber-terror

Mahmoud Alyaee, secretary-general of Iran's industrial computer servers, including its nuclear facilities control systems, confirmed Saturday, Sept. 25, that30,000 computers belonging to classified industrial units had been infected and disabled bythemalicious Stuxnet virus.

http://www.debka.com/article/9045

[Dermot7]

AP..."Worm hits computers of staff at Iran nuclear plant"...
http://hosted.ap.org/dynamic/stories...09-26-07-02-03

[CloneRanger]

The availability of previously, unknown at large, 4 vulnerabilities in which to choose from which Stuxnet had at it's disposal, could be seen as MS backdoors, especially the .LNK one It might be stretching it a bit/lot to say all vulnerabilities are intentional backdoors, but "some" could be, and in the past "may" have been. It's "possible" one or more of these could have been passed on to "whoever" by shush you know who !

Quote:

Siemens and its NSA connections, encryption scams, backdoors, and Iran and Israel et al

http://mediafilter.org/caq/cryptogate

Fascinating reading, for those that didn't know, and maybe a reminder for those that did.

*

Stuxnet goes mainstream

Mainstream media as well as independent outlets giving Stuxnet more coverage now. Quite a number of links, and links to links from this one.

Quote:

http://www.infowars.com/will-stuxnet...se-flag-attack

-http://www.youtube.com/watch?v=H6VipR0xBGo-

[noone_particular]

If that malware causes a major nuclear accident, the developer nation of that malware is guilty of mass murder of civilians and is responsible for all the environmental damage. The result would be no different than terrorists detonating a nuclear dirty bomb, with no regard for the hundreds of millions who are downwind.

[dw426]

Quote:

Originally Posted by noone_particular

If that malware causes a major nuclear accident, the developer nation of that malware is guilty of mass murder of civilians and is responsible for all the environmental damage. The result would be no different than terrorists detonating a nuclear dirty bomb, with no regard for the hundreds of millions who are downwind.

It isn't designed for that, clearly. It's meant to delay from what things are looking like. It may not even be working as planned, if some reports are to be believed (I would doubt these reports highly). What I'm seeing this as is, hmm, how should I put this? "Forceful diplomacy"? If sanctions don't work, and they never do, step it up a notch and make life miserable for the plant operators and staff. Oh, if anyone has the strange belief that this is just the U.S involved, wake up.

[hawki]

Stuxnet worm can re-infect scrubbed PCs

Iran's attempts to eradicate worm could be stymied by new infection vector, says researcher

" A security researcher today revealed yet another way that the Stuxnet worm spreads, a tactic that can re-infect machines that have already been scrubbed of the malware.....

...
Liam O Murchu, manager of operations on Symantec's security response team and one of a handful of researchers who have been analyzing Stuxnet since its public appearance in July, said today he'd found another way that the worm spreads. According to O Murchu, Stuxnet also injects a malicious DLL into every Step 7 project on a compromised PC, ensuring that the worm spreads to other, unaffected PCs whenever an infected Step 7 file is opened.

Step 7 is the Siemens software used to program and configure the German company's industrial control system hardware. When Stuxnet detects Step 7 software, it tries to hijack the program and pass control to outsiders.

"All Step 7 projects [on a compromised computer] are infected by Stuxnet," O Murchu said in an interview today. "Anyone who opens a project infected by Stuxnet is then compromised by the worm."

MORE HERE: http://www.computerworld.com/s/artic...t_scrubbed_PCs