Rootkit.TmpHider

Discussion in 'malware problems & news' started by sergey ulasen, Jul 12, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger
    Offline

    CloneRanger Registered Member

    Interesting they only say "impede"

    Seems like the Sality gang did waste time, and launched the latest nasties after the patch was released :D I suppose they are "Banking" on some people not being updated, as indeed they won't be :(
  2. MrBrian
    Offline

    MrBrian Registered Member

    From Stuxnet could hijack power plants, refineries:
  3. CloneRanger
    Offline

    CloneRanger Registered Member

  4. Malcontent
    Offline

    Malcontent Registered Member

    Stuxnet: Dissecting the Worm

    http://www.technewsworld.com/story/Stuxnet-Dissecting-the-Worm-70622.html

  5. CloneRanger
    Offline

    CloneRanger Registered Member

    False SCADA attack from 2009 turns into Real ones over a year later. I wonder if the Stuxnet coders got the idea from this ?

    The video is funny -http://www.youtube.com/watch?v=0L7DTMKekoU&feature=player_embedded-
  6. MrBrian
    Offline

    MrBrian Registered Member

    From Stuxnet attackers used 4 Windows zero-day exploits:
  7. CloneRanger
    Offline

    CloneRanger Registered Member

    @ MrBrian

    Thanks for the update :thumb:

    So it's a lot worse than we initially realised, and 2 critical holes still wide open :eek: I expect other nasties will try and and make use of them soon, if they havn't already.
  8. CloneRanger
    Offline

    CloneRanger Registered Member

    Stuxnet revelations

    Sounds and looks like we are getting closer to discovering a lot more about the what/who/why and Stuxnet :eek:

    Secret agents, double agents, espoinage, war by proxy etc etc. And it's not exactly a surprise to find out who the baddies are behind all of this :thumbd: Amazed yes at their continued illegal activities both where they live and around the world, but not suprised. It'll be very interesting to see what the rest of the worlds goverments have to say about it, and "IF" they even propose ANY condemnation etc, let alone any punishment/sanctions.

    I posted earlier about the the fact that the Iranians had discovered this malware in their SCADA systems.

    Latest Seimens update is now 15 systems infected worldwide - http://support.automation.siemens.c...lib.csinfo&lang=en&objid=43876783&caller=view

  9. MrBrian
    Offline

    MrBrian Registered Member

  10. aigle
    Offline

    aigle Registered Member

    just a wild idea in my mind since i read about this malware. Doesn't .lnk exploit seems a back door intentionally left by MS and somehow revealed open to the world.
  11. CloneRanger
    Offline

    CloneRanger Registered Member

    @ aigle

    Not so wild, but will we ever know for sure ? At least we have that vector blocked now ;) Funny, sometimes good things can come from malware :D

    ***********************

    The plot thickens

  12. CloneRanger
    Offline

    CloneRanger Registered Member

    More conformation :eek:

    Thanks to ratchet :thumb: for the above link from here - http://www.wilderssecurity.com/showthread.php?t=282674

    Strange ! Seimens says still only 15 :p

    *

    EDIT

    The best way to eliminate ALL signs of Stuxnet on Irans system/s would be to reinstall a fresh copy of SCADA on a new HD. Then swap over to that and destroy the previous one, or even better, keep it as evidence for industrial espionage ;)
    Last edited: Sep 22, 2010
  13. culla
    Offline

    culla Registered Member

    i'm completely protected under my tin foil hat :argh:
  14. ronjor
    Offline

    ronjor Global Moderator

    http://blog.eset.com/2010/09/23/eset-stuxnet-paper
  15. Searching_ _ _
    Offline

    Searching_ _ _ Registered Member

    The direction the world is going is right on track where it should be, don't worry for it's current direction, just prepare.

    Ants are wise. The Ant doesn't listen to rumors, but continually puts extra into storage. Because the Ant learned that difficulties do come and they don't waste the energy debating when they will come. The Ant prepares.

    Cool article Ronjor.
  16. CloneRanger
    Offline

    CloneRanger Registered Member

    Stuxnet C&C investigation

    I'm not sure what to make of all this, so please chip in with your thoughts etc. Remember i'm not an expert, just tried to do some background digging ;)

    www.mypremierfutbol.com & www.todaysfutbol.com = http://www.annerinternational.com = Gone

    www.mypremierfutbol.com & www.todaysfutbol.com = Both still live but appear dead !

    So has the Stuxnet bad people taken over those www's by legit means, or highjacked them ? Strange that Anner who went out of business in 2006 is listed as the owners of those www's ?

    78.111.169.146 & 78.111.169.0/24 = Could not find a domain name corresponding to this IP address.

    Network Operation Center
    Zen Systems ApS
    Esromgade 15, 1 - 3. sal
    DK-2200 København N
    Denmark

    TODAYSFUTBOL.COM IP: 211.24.237.226
    The IP belongs to ISP TIME TELECOMMUNICATIONS SDN BHD
    ISP domain: TIME.NET.MY
    Location information:
    Country: MALAYSIA

    http://www.webboar.com/www/todaysfutbol.com

    http://www.mypremierfutbol.com/index.php?data=data_to_send is the upload channel for Stuxnet, or one of them anyway, or was.

    I got the www's from this excellent article, that ronjor :thumb: linked to.

  17. tgell
    Offline

    tgell Registered Member

    Sorry if this article has already been referenced in this thread:

    Software smart bomb fired at Iranian nuclear plant: experts

    Article
  18. CloneRanger
    Offline

    CloneRanger Registered Member

    Stuxnet Before the .lnk File Vulnerability

    Many more articles here - http://www.symantec.com/connect/blog-tags/w32stuxnet
  19. CloneRanger
    Offline

    CloneRanger Registered Member

    http://www.debka.com/article/9045
  20. Dermot7
    Offline

    Dermot7 Registered Member

  21. CloneRanger
    Offline

    CloneRanger Registered Member

    The availability of previously, unknown at large, 4 vulnerabilities in which to choose from which Stuxnet had at it's disposal, could be seen as MS backdoors, especially the .LNK one It might be stretching it a bit/lot to say all vulnerabilities are intentional backdoors, but "some" could be, and in the past "may" have been. It's "possible" one or more of these could have been passed on to "whoever" by shush you know who !

    Fascinating reading, for those that didn't know, and maybe a reminder for those that did.

    *

    Stuxnet goes mainstream

    Mainstream media as well as independent outlets giving Stuxnet more coverage now. Quite a number of links, and links to links from this one.

  22. noone_particular
    Online

    noone_particular Registered Member

    If that malware causes a major nuclear accident, the developer nation of that malware is guilty of mass murder of civilians and is responsible for all the environmental damage. The result would be no different than terrorists detonating a nuclear dirty bomb, with no regard for the hundreds of millions who are downwind.
  23. dw426
    Offline

    dw426 Registered Member

    It isn't designed for that, clearly. It's meant to delay from what things are looking like. It may not even be working as planned, if some reports are to be believed (I would doubt these reports highly). What I'm seeing this as is, hmm, how should I put this? "Forceful diplomacy"? If sanctions don't work, and they never do, step it up a notch and make life miserable for the plant operators and staff. Oh, if anyone has the strange belief that this is just the U.S involved, wake up.
  24. hawki
    Online

    hawki Registered Member

    Stuxnet worm can re-infect scrubbed PCs

    Iran's attempts to eradicate worm could be stymied by new infection vector, says researcher

    " A security researcher today revealed yet another way that the Stuxnet worm spreads, a tactic that can re-infect machines that have already been scrubbed of the malware.....

    ...
    Liam O Murchu, manager of operations on Symantec's security response team and one of a handful of researchers who have been analyzing Stuxnet since its public appearance in July, said today he'd found another way that the worm spreads. According to O Murchu, Stuxnet also injects a malicious DLL into every Step 7 project on a compromised PC, ensuring that the worm spreads to other, unaffected PCs whenever an infected Step 7 file is opened.

    Step 7 is the Siemens software used to program and configure the German company's industrial control system hardware. When Stuxnet detects Step 7 software, it tries to hijack the program and pass control to outsiders.

    "All Step 7 projects [on a compromised computer] are infected by Stuxnet," O Murchu said in an interview today. "Anyone who opens a project infected by Stuxnet is then compromised by the worm."

    MORE HERE: http://www.computerworld.com/s/article/9188238/Stuxnet_worm_can_re_infect_scrubbed_PCs
    Last edited: Sep 27, 2010
Thread Status:
Not open for further replies.