Rootkit.TmpHider

Discussion in 'malware problems & news' started by sergey ulasen, Jul 12, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger
    Offline

    CloneRanger Registered Member

    http://www.symantec.com/content/en/..._response/whitepapers/w32_stuxnet_dossier.pdf
  2. JRViejo
    Online

    JRViejo Global Moderator

  3. TheGyre
    Offline

    TheGyre Registered Member

    New Findings On Stuxnet Worm

    Courtesy of the New York Times... Some interesting conclusions.

    "Then, on Wednesday, Mr. Albright and a colleague, Andrea Stricker, released a report saying that when the worm ramped up the frequency of the electrical current supplying the centrifuges, they would spin faster and faster. The worm eventually makes the current hit 1,410 Hertz, or cycles per second — just enough, they reported, to send the centrifuges flying apart.

    In a spooky flourish, Mr. Albright said in the interview, the worm ends the attack with a command to restore the current to the perfect operating frequency for the centrifuges — which, by that time, would presumably be destroyed.

    “It’s striking how close it is to the standard value,” he said. "


    http://www.nytimes.com/2010/11/19/world/middleeast/19stuxnet.html?pagewanted=2&_r=1&hp
  4. kjdemuth
    Offline

    kjdemuth Registered Member

    Re: New Findings On Stuxnet Worm

    Thanks for the update
  5. CloneRanger
    Offline

    CloneRanger Registered Member

  6. JRViejo
    Online

    JRViejo Global Moderator

    CloneRanger, after reading that article, it "hints" that Israel was behind it, however, I see no "admission" of them being behind the attack. Excerpts:
    Let's stick to the subject and not take this thread off topic by discussing politics and countries. Thanks!
  7. Baserk
    Offline

    Baserk Registered Member

    If you couldn't view/read that page, how did you come to your 'conclusion' in red?
  8. MrBrian
    Offline

    MrBrian Registered Member

  9. Pandorian
    Offline

    Pandorian Registered Member

    The second link exaggerates the likelihood of this occurring. I used to design control system using various equipment, and in every system that I installed the control PCs were locked down to a dedicated shell, the PLC and control PCs were installed on a dedicated network with a firewall to any internal MIS systems or database. Data flow was one way from the control network to the MIS/internal network.

    The same network arrangement occurred in the food, steel, nuclear, utilities, and other manufacturing industries that I worked in.

    Industrial control systems have always been designed to a higher standard that a normal office network simply because they need to be reliable 24 x 7 x 365 in some cases. Polluting a control system network with traffic from a standard office network, is a big no-no.
  10. CloneRanger
    Offline

    CloneRanger Registered Member

    @ JRViejo

    OK & thanks for the quotes ;)


    @ Baserk

    I saw the link posted on another www & that's the headline it gave !
  11. hawki
    Offline

    hawki Registered Member

    Attack code published for unpatched Stuxnet vulnerability

    Exploit code for one of the still-unpatched Windows vulnerability used in the Stuxnet malware has been posted on the web, a move that puts pressure on Microsoft to release a security patch.

    The exploit, written by webDEViL, provides a roadmap to exploit a flaw in the Windows Task Scheduler to elevate rights on vulnerable Windows machines.

    It has been successfully tested on systems running Windows Vista, Windows 7 and Windows Server 2008.

    http://www.zdnet.com/blog/security/attack-code-published-for-unpatched-stuxnet-vulnerability/7732

    UPDATE: MICROSOFT'S RESPONSE:

    Attackers Must Already Have Access

    “Microsoft is aware of the public posting of the details of an elevation of privilege vulnerability used by the Stuxnet malware,” Jerry Bryant, group manager of Response Communications at Microsoft, said in a statement. “We first discussed this vulnerability in September 2010. Because this is a local elevation of privilege issue, it requires attackers to be already able to execute code on a targeted machine. A bulletin addressing this issue will be released as part of our regular monthly bulletin cycle in the near future.”

    MORE HERE: http://www.eweekeurope.co.uk/news/exploit-code-for-stuxnets-unpatched-target-goes-public-14216
    Last edited: Nov 24, 2010
  12. Daveski17
    Offline

    Daveski17 Registered Member

    Stuxnet Redux: Questions and Answers

    Stuxnet Redux: Questions and Answers F-Secure

    Hmmmm... very interesting...

    ~removed comment~
    Last edited by a moderator: Nov 25, 2010
  13. JRViejo
    Online

    JRViejo Global Moderator

    Merged Threads to continue the discussion on the same topic!
  14. Pandorian
    Offline

    Pandorian Registered Member

    Never in the field of software security was so much hype achieved from so little effect.

    It seems to be this is a 'celebrity' virus, which in reality has achieved nothing but headlines. All bar one of the dropper mechanisms have been already been patched, and the payload was so very, very narrow in scope.

    I think the reality is, this particular virus failed to achieve it goal, so why the hype?
  15. trismegistos
    Offline

    trismegistos Registered Member

    This was intended to be as undetectable as possible being a sort of a targetted attack minus the collateral infections with the end result of malfunctioning of certain centrifuge machines that enrich uranium particularly in Iran to derail its nuclear program. But was discovered by accident as the story goes.

    It was not intended to create havoc nor for espionage nor to create a botnet nor to create an end of the world scenario nor to create notoriety for its makers.

    But there is the initial concern of the theoretical possibility of a greater danger, nuclear plant gone haywire creating greater casualties, or other industrial processes which could produce some mishap among innocent civilians. Also of the possibility that this will be reverse engineered and used by those with more malicious intent. What amazes the researchers with this malware is that it carried 4 zeroday exploits and that it is state sponsored. It's a good thing that zero days of Stuxnet are patched already except one. The shell32.dll vulnerability is I think the most important. Sort of a non documented USB autorun. What if those vulnerabilities weren't patched and other malwares would use those? Imagine the mushrooming of more malicious codes wreaking havoc even on well secured systems/networks to steal trade secrets, etc and more failures of industrial control sysems causing industrial accidents and misfortunes. And not to mention cyberwarfare. It was reported that some critical networks like the military in certain states were also affected by malwares just because of the ubiquitous USB devices. Yes, there are still some not as prudent as you and continue to have false practices despite safety policies like forbidding connectivity between critical systems and not to mentioned those USBs if carried by some insiders/rogue elements or infiltrators to infect your networks/systems. Paranoia? The attack scenario was outlined in the w32.stuxnet dossier by Symantec. Can be easily mitigated by polices and safe practices as you have said but there will always be a means for a determined attacker.
    Last edited: Nov 26, 2010
  16. MrBrian
    Offline

    MrBrian Registered Member

  17. Meriadoc
    Offline

    Meriadoc Registered Member

  18. hawki
    Offline

    hawki Registered Member

    FWIW:

    Nuclear scientist killed in Tehran was Iran's top Stuxnet expert

    Prof. Majid Shahriari, who died when his car was attacked in North Tehran Monday, Nov. 29, headed the team Iran established for combating the Stuxnet virus rampaging through its nuclear and military networks.

    http://www.debka.com/article/20406/
    Last edited: Nov 29, 2010
  19. trismegistos
    Offline

    trismegistos Registered Member

  20. MrBrian
    Offline

    MrBrian Registered Member

  21. Serapis
    Offline

    Serapis Registered Member

  22. JRViejo
    Online

    JRViejo Global Moderator

    Merged Threads to Continue Same Topic!
  23. Baserk
    Offline

    Baserk Registered Member

    Stuxnet’s Finnish-Chinese Connection

    "A third important piece of the puzzle, which I’ll discuss later in this article, directly connects a Chinese antivirus company which writes their own viruses with the Stuxnet worm.
    ...
    ..based solely on the known facts, I consider China to be the most likely candidate for Stuxnet’s origin.
    "

    From Jeffrey Carr's 'China-scenario' article in Forbes. link
  24. TheGyre
    Offline

    TheGyre Registered Member

  25. CloneRanger
    Offline

    CloneRanger Registered Member

    @ TheGyre

    Thanks for posting this :thumb: I was just about to ;)
Thread Status:
Not open for further replies.