Rootkit.TmpHider

Discussion in 'malware problems & news' started by sergey ulasen, Jul 12, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
    Interesting they only say "impede"

    Seems like the Sality gang did waste time, and launched the latest nasties after the patch was released :D I suppose they are "Banking" on some people not being updated, as indeed they won't be :(
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Stuxnet could hijack power plants, refineries:
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
  4. Malcontent

    Malcontent Registered Member

    Joined:
    Dec 30, 2005
    Posts:
    450
    Location:
    Cleveland, Ohio USA
    Stuxnet: Dissecting the Worm

    http://www.technewsworld.com/story/Stuxnet-Dissecting-the-Worm-70622.html

     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
    False SCADA attack from 2009 turns into Real ones over a year later. I wonder if the Stuxnet coders got the idea from this ?

    The video is funny -http://www.youtube.com/watch?v=0L7DTMKekoU&feature=player_embedded-
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Stuxnet attackers used 4 Windows zero-day exploits:
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
    @ MrBrian

    Thanks for the update :thumb:

    So it's a lot worse than we initially realised, and 2 critical holes still wide open :eek: I expect other nasties will try and and make use of them soon, if they havn't already.
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
    Stuxnet revelations

    Sounds and looks like we are getting closer to discovering a lot more about the what/who/why and Stuxnet :eek:

    Secret agents, double agents, espoinage, war by proxy etc etc. And it's not exactly a surprise to find out who the baddies are behind all of this :thumbd: Amazed yes at their continued illegal activities both where they live and around the world, but not suprised. It'll be very interesting to see what the rest of the worlds goverments have to say about it, and "IF" they even propose ANY condemnation etc, let alone any punishment/sanctions.

    I posted earlier about the the fact that the Iranians had discovered this malware in their SCADA systems.

    Latest Seimens update is now 15 systems infected worldwide - http://support.automation.siemens.c...lib.csinfo&lang=en&objid=43876783&caller=view

     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    10,830
    Location:
    Saudi Arabia/ Pakistan
    just a wild idea in my mind since i read about this malware. Doesn't .lnk exploit seems a back door intentionally left by MS and somehow revealed open to the world.
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
    @ aigle

    Not so wild, but will we ever know for sure ? At least we have that vector blocked now ;) Funny, sometimes good things can come from malware :D

    ***********************

    The plot thickens

     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
    More conformation :eek:

    Thanks to ratchet :thumb: for the above link from here - http://www.wilderssecurity.com/showthread.php?t=282674

    Strange ! Seimens says still only 15 :p

    *

    EDIT

    The best way to eliminate ALL signs of Stuxnet on Irans system/s would be to reinstall a fresh copy of SCADA on a new HD. Then swap over to that and destroy the previous one, or even better, keep it as evidence for industrial espionage ;)
     
    Last edited: Sep 22, 2010
  13. culla

    culla Registered Member

    Joined:
    Aug 15, 2005
    Posts:
    504
    i'm completely protected under my tin foil hat :argh:
     
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    53,190
    Location:
    Texas
    http://blog.eset.com/2010/09/23/eset-stuxnet-paper
     
  15. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    The direction the world is going is right on track where it should be, don't worry for it's current direction, just prepare.

    Ants are wise. The Ant doesn't listen to rumors, but continually puts extra into storage. Because the Ant learned that difficulties do come and they don't waste the energy debating when they will come. The Ant prepares.

    Cool article Ronjor.
     
  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
    Stuxnet C&C investigation

    I'm not sure what to make of all this, so please chip in with your thoughts etc. Remember i'm not an expert, just tried to do some background digging ;)

    www.mypremierfutbol.com & www.todaysfutbol.com = http://www.annerinternational.com = Gone

    www.mypremierfutbol.com & www.todaysfutbol.com = Both still live but appear dead !

    So has the Stuxnet bad people taken over those www's by legit means, or highjacked them ? Strange that Anner who went out of business in 2006 is listed as the owners of those www's ?

    78.111.169.146 & 78.111.169.0/24 = Could not find a domain name corresponding to this IP address.

    Network Operation Center
    Zen Systems ApS
    Esromgade 15, 1 - 3. sal
    DK-2200 København N
    Denmark

    TODAYSFUTBOL.COM IP: 211.24.237.226
    The IP belongs to ISP TIME TELECOMMUNICATIONS SDN BHD
    ISP domain: TIME.NET.MY
    Location information:
    Country: MALAYSIA

    http://www.webboar.com/www/todaysfutbol.com

    http://www.mypremierfutbol.com/index.php?data=data_to_send is the upload channel for Stuxnet, or one of them anyway, or was.

    I got the www's from this excellent article, that ronjor :thumb: linked to.

     
  17. tgell

    tgell Registered Member

    Joined:
    Nov 12, 2004
    Posts:
    995
    Sorry if this article has already been referenced in this thread:

    Software smart bomb fired at Iranian nuclear plant: experts

    Article
     
  18. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
    Stuxnet Before the .lnk File Vulnerability

    Many more articles here - http://www.symantec.com/connect/blog-tags/w32stuxnet
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
    http://www.debka.com/article/9045
     
  20. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    2,949
    Location:
    Surrey, England.
  21. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
    The availability of previously, unknown at large, 4 vulnerabilities in which to choose from which Stuxnet had at it's disposal, could be seen as MS backdoors, especially the .LNK one It might be stretching it a bit/lot to say all vulnerabilities are intentional backdoors, but "some" could be, and in the past "may" have been. It's "possible" one or more of these could have been passed on to "whoever" by shush you know who !

    Fascinating reading, for those that didn't know, and maybe a reminder for those that did.

    *

    Stuxnet goes mainstream

    Mainstream media as well as independent outlets giving Stuxnet more coverage now. Quite a number of links, and links to links from this one.

     
  22. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    If that malware causes a major nuclear accident, the developer nation of that malware is guilty of mass murder of civilians and is responsible for all the environmental damage. The result would be no different than terrorists detonating a nuclear dirty bomb, with no regard for the hundreds of millions who are downwind.
     
  23. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    It isn't designed for that, clearly. It's meant to delay from what things are looking like. It may not even be working as planned, if some reports are to be believed (I would doubt these reports highly). What I'm seeing this as is, hmm, how should I put this? "Forceful diplomacy"? If sanctions don't work, and they never do, step it up a notch and make life miserable for the plant operators and staff. Oh, if anyone has the strange belief that this is just the U.S involved, wake up.
     
  24. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,393
    Location:
    DC Metro Area
    Stuxnet worm can re-infect scrubbed PCs

    Iran's attempts to eradicate worm could be stymied by new infection vector, says researcher

    " A security researcher today revealed yet another way that the Stuxnet worm spreads, a tactic that can re-infect machines that have already been scrubbed of the malware.....

    ...
    Liam O Murchu, manager of operations on Symantec's security response team and one of a handful of researchers who have been analyzing Stuxnet since its public appearance in July, said today he'd found another way that the worm spreads. According to O Murchu, Stuxnet also injects a malicious DLL into every Step 7 project on a compromised PC, ensuring that the worm spreads to other, unaffected PCs whenever an infected Step 7 file is opened.

    Step 7 is the Siemens software used to program and configure the German company's industrial control system hardware. When Stuxnet detects Step 7 software, it tries to hijack the program and pass control to outsiders.

    "All Step 7 projects [on a compromised computer] are infected by Stuxnet," O Murchu said in an interview today. "Anyone who opens a project infected by Stuxnet is then compromised by the worm."

    MORE HERE: http://www.computerworld.com/s/article/9188238/Stuxnet_worm_can_re_infect_scrubbed_PCs
     
    Last edited: Sep 27, 2010
Thread Status:
Not open for further replies.