Son of Stuxnet

Discussion in 'malware problems & news' started by CJsDad, Oct 18, 2011.

Thread Status:
Not open for further replies.
  1. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
  2. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Son of Stuxnet Found in the Wild on Systems in Europe

    Full Story
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ CJsDad

    :thumb:

    On siljaline's link :thumb: you'll find that Symantec have been VERY quick off the mark & published a 46-page whitepaper about it already ;)

    http://www.symantec.com/content/en/...32_duqu_the_precursor_to_the_next_stuxnet.pdf

    My bolding etc. But there ya go, they ain't taken their ball home yet. So it appears they still mean "business" !

    If any of the following is true, then :eek: :eek: :eek:

     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Didn't Anonymous or LulzSec get Stuxnet source? Or was it just samples?
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Stuxnet is open source.
     
  6. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,954
    Location:
    DC Metro Area
    Son of Stuxnet? Researchers Warn of Impending Cyber Attack

    ABC News Oct. 18, 2011

    A new computer virus using "nearly identical" parts of the cyber superweapon Stuxnet has been detected on computer systems in Europe and is believed to be a precursor to a new Stuxnet-like attack, a major U.S.-based cyber security company said today.

    Stuxnet was a highly sophisticated computer worm that was discovered last year and was thought to have successfully targeted and disrupted systems at a nuclear enrichment plant in Iran. At the time, U.S. officials said the worm's unprecedented complexity and potential ability to physically sabotage industrial control systems -- which run everything from water plants to the power grid in the U.S. and in many countries around the world -- marked a new era in cyber warfare.

    Though no group claimed responsibility for the Stuxnet worm, several cyber security experts have said it is likely a nation-state created it and that the U.S. and Israel were on a short list of possible culprits.

    Whoever it was, the same group may be at it again, researchers said, as the authors of the new virus apparently had access to original Stuxnet code that was never made public.

    The new threat, discovered by a Europe-based research lab and dubbed "Duqu", is not designed to physically affect industrial systems like Stuxnet was, but apparently is only used to gather information on potential targets that could be helpful in a future cyber attack, cyber security giant Symantec said in a report today.

    "Duqu shares a great deal of code with Stuxnet; however, the payload is completely different," Symantec said in a blog post.

    Duqu is designed to record key strokes and gather other system information at companies in the industrial control system field and then send that information back to whomever planted the bug, Symantec said.

    If successful, the information gleaned from those companies through Duqu could be used in a future attack on any industrial control system in the world where the companies' products are used -- from a power plant in Europe to an oil rig in the Gulf of Mexico.

    "Right now it's in the reconnaissance stage, you could say," Symantec Senior Director for Security Technology and Response, Gerry Egan, told ABC News. "[But] there's a clear indication an attack is being planned."

    Duqu is also not designed to spread on its own, so researchers believe its targets were the computer systems it had already infiltrated, Egan said.

    The Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team issued an alert today to "critical infrastructure owners and operators" on Duqu, urging them to take steps to secure their systems.

    "The extent of the threat posed by [Duqu] is currently being evaluated," the alert says.

    Another cyber security company, F-Secure Security Labs, also examined Duqu and said on its website that parts of its code were so similar to Stuxnet that its virus-detection system believed it was dealing with the same virus over again.

    A representative for Symantec said they were made aware of the new threat after the unnamed European research lab forwarded them a sample of the code along with their analysis comparing it with Stuxnet, which Symantec then confirmed. McAfee Labs, another cyber security power player, said they too had been given a sample of the Duqu code for analysis.

    "One thing for sure is the Stuxnet team is still active..." McAfee said on its website.

    http://abcnews.go.com/Blotter/stuxn...s-warn-similar-cyber-attack/story?id=14763854
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    The command and control server in India is unusual, could be just to put anyone off the true locations etc ?

    From the Symantec PDF

    Interesting disguise !

    GFI was one of the first to analyise it according to Symantec, but it was listed as 85625782.exe not any of the files listed in the PDF ?

    *

    Putting together "some" pieces :D

    IP's taken fron the Symantec PDF

    68.132.129.18 = UUNET Technologies

    OrgName: UUNET Technologies, Inc.
    OrgId: UUDA
    Address: 22001 Loudoun County Parkway
    City: Ashburn
    StateProv: VA
    PostalCode: 20147
    Country: US

    UUNet Technologies = Verizon

    VA = Virginia. Who is in VA, you know who ;) Coincidence ? :p

    Re - UUNet Technologies, post in here

    Might be nothing ! But ?
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    "Massive Data Sweep" = Google + Microsoft + Oracle

    Right?
     
  9. wat0114

    wat0114 Guest

    How hard would it be for Iran to isolate their sensitive control systems from the outside world by operating in a closed, Itranet-like environment, completely cut off from the outside world? If they can can accomplish this, does it not stand to reason they address perhaps the most serious cyber threat imposed upon them from other countries?
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Analysis: Duqu Targets Certificate Authorities:
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Duqu: Protect Your Private Keys:
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    Does this even use any exploits? Or is the son inferior to the father?
     
  13. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Until more AV - AS Vendors get some code to play with, there likely won't be any more information forthcoming as far as looking under the hood is concerned.

     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Along with cmi4432.sys & jminet7.sys the Dropper has appeared nfrd965.sys masquerading as

    IBM ServeRAID Controller Driver

    nfrd965.sys - SHA1 = B3074B26B346CB76605171BA19616BAF821ACF66

    Date = Tuesday, October 19, 2010 11:39:50 AM

    ibm.gif

    Not that i've heard about, but it's early days. But due it's discovery, it's days may be numbered, in it's current config anyway.

    From the reports i've read/seen it "seems" just as potentially invasive etc.

    @ wat0114

    I believe they were isolated from the www, but Stuxnet was delivered/updated via USB.
     
  15. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    guys can't wait to see duqu vs security software thread :D

    anyway ~ Snipped as per TOS ~ malwares are getting smarter and more advanced
     
    Last edited by a moderator: Oct 19, 2011
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    All they (or any organization) need do is limit installation of any executable to the senior people in charge. Barring an insider attack (we really don't know the details of the attack for sure), Stuxnet would never have succeeded.

    For example, on computers in sensitive installations such as those nuclear ones, why should executables be permitted to run from USB without senior administrator permission?

    regards,

    -rich
     
  17. wat0114

    wat0114 Guest

    Thank you CloneRanger and Rmus! It stands to reason they were already off the www, so an insider attack makes sense. It must easier to do than I'm imagining it to be :)
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It was a dll execution bypassing many anti-executable measures so that may be the reason of success for stuxnet.
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    They could have used Sandboxie to trap the flash drive... :D
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    No doubt about it! But a quick review:

    Stuxnet Malware Analysis Paper
    http://www.codeproject.com/KB/web-security/StuxnetMalware.asp
    As Wilder's Supreme Anti-malware software tester, you demonstrated various ways this is prevented. Wouldn't you think, based on the success of Conficker which used a spoofed DLL, that the security people in critical industries would have secure protection in place to block unauthorized DLLs from loading? If blocked at this point, it never gets a chance to exploit the 0-day stuff.

    But even if the initial DLL dropper succeeds in loading, there are other interception points that come up later in the installation.

    A summary from the above paper:
    Barring an insider attack (at the highest level), Stuxnet or its Son should not succeed on a properly secured system/network.


    regards,

    -rich
     
    Last edited: Oct 19, 2011
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    This is probably how they already do it. It's how most places do it. USBs and other methods will still carry the malware around.
     
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From The Mystery of Duqu:
     
  24. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    It turns out that nfrd965.sys is not the dropper as reported elsewhere :( but it is part of this evolving Malware puzzle !

    I'm trying to get hold of the full enchalada to test it ;)

    @ MrBrian

    :thumb:

    The plot thickens :D
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am also searching for the dropper. ;)

    Hope that we can find one for testing. So far none. :mad:
     
Thread Status:
Not open for further replies.