Stuxnet Analysis: "Same Old Thing"

Discussion in 'malware problems & news' started by Rmus, Sep 24, 2010.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    The quote is mine, and I've used it a number of times for many of the recent exploits, referring not to the sophistication of what the malware does after installed, but rather to the distribution process: the attack vectors. In this respect, nothing has changed.

    The recent Eset analysis (PDF file) of the Stuxnet worm (Win32/Stuxnet) is a wonderful, step by step analysis of the attack methods:

    Stuxnet Under the Microscope
    http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf

    I will summarize a few of the important points, starting with page 5, where they display a graph showing the 3 stages of the infection process, which are:

    Sound familiar?

    Then, pages 21ff describe the infection process. This is the first vulnerability discussed, the LNK exploit:

    Well, the malware DLL may not be executed, of course, depending on the client-side security set up, and this has been discussed already in other threads, showing how easy it is to block this attack with many solutions available today.

    The next part of the Eset analysis describes in detail the four attack vectors. Following that, readers interested just in preventative measures can stop reading, because it is evident what protective measures are needed!

    Unfortunately, most articles on these types of exploits, especially in the mainstream media, do not provide this pertinent information, and we are left to forge around for details.

    I wish something like this could have been published earlier on!

    The paper continues with a detailed analysis of how the malware works once installed, which makes for very interesting reading indeed!

    NOTE: The Eset Analysis is linked in the article posted by ronjor here:

    https://www.wilderssecurity.com/showpost.php?p=1754905&postcount=277

    ----
    rich
     
    Rmus, Sep 24, 2010
    #1
  2. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Thanks Rmus for info. Currently reading it throughly...
     
    Boyfriend, Sep 24, 2010
    #2
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Yes the ESET article is very good :thumb:

    We agree about the prevention techniques/apps that have been available for years, and now there are even more of them. Quite why industry/companies large & small hasn't made use of them in droves by now is very strange. Maybe they aren't aware of them ? It's about time they were, especially these days with tens of thousands of nasty badware released Every day !

    Also we might expect critical systems to NOT be connected to the www, and have any/all possible entry vectors like USB etc sockets, sealed and/or locked, only to be made available to very limited and knowledgable personnel.

    If this was done most if not all infections/downtime/expense etc etc would be avoided.
     
    CloneRanger, Sep 24, 2010
    #3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...