Jump to content


Photo
* * * * * 2 votes

Stuxnet


  • Please log in to reply
26 replies to this topic

#1 JMC31337

JMC31337

    Addict

  • (Full Member)
  • 309 posts
  • Gender:Male


  • Virgin Islands


Posted 28 September 2010 - 03:12 PM

this is what a could find and rar up
2 tmp files
1 exe that is really a dll
1 lnk file
1 lnk file (suckme)
1 sys file
1 dll file (suckme)


vidnux.com
offensivecomputing
4shared

it may still yet be incomplete.. so if it is.. lemme know.. there are 2 sys files yet i could only find 1... sites are listed that i found parts of this worm at...


rar passwd: infected

Attached Files


  • Anonymous 2012 likes this

#2 Syntax

Syntax

    Mega Poster

  • (Full Member)
  • 182 posts
  • Gender:Male


  • European Union


Posted 29 September 2010 - 07:00 PM

Interesting.

http://www.pcworld.c...ar_program.html

#3 JMC31337

JMC31337

    Addict

  • (Full Member)
  • 309 posts
  • Gender:Male


  • Virgin Islands


Posted 29 September 2010 - 08:18 PM

Interesting.

http://www.pcworld.c...ar_program.html


Of course it was, at least Variant B, though i care less about decoding as i dont have the system that it was designed for, nor do i feel like making "fake" system to get StuxNet to do its thing. In other words is it possible that if StuxNet B is looking for this File we can create that "fake" file and make it think we are real. I dunno.. Btw 2 things
1) Security advisors have stated it was designed to attack that plant
2) the 2 tmp and 1 lnk files are indeed StuxNet B

keep in mind most Botnet files are 15kb in size, these tmp files at least that 1 are upwards to 500kb, i would be very interested in knowing how the BOTNET portion of this worm acts
now according to wiki, Israel and USA are allies. So to hear the security industry point fingers at 1 or the other, is ridiculous.. they are both 1 on the same team

Edited by JMC31337, 29 September 2010 - 11:19 PM.


#4 deepzero

deepzero

    Post Junkie

  • (Full Member+)
  • 1,102 posts
  • Gender:Male


  • European Union


Posted 01 October 2010 - 12:59 PM

thanx for the links guys, all bookmarked.
I am not able to find a full set of stuxnet files though, especially the 1,18 MB main dll file.
anyone...? :^

#5 deepzero

deepzero

    Post Junkie

  • (Full Member+)
  • 1,102 posts
  • Gender:Male


  • European Union


Posted 01 October 2010 - 01:24 PM

Here are its 4 digitally signed drivers.
still looking for the main dll....

http://www45.zippyshare.com/v/63235727/file.html
pass: infected

edit:
found the main dropper.I extracted & unpacked the main dll from it.Dropper & decrypted+unpacked main dll here:
http://www34.zippyshare.com/v/83741603/file.html
pass: infected

in the dll one can actually see all these interesting strings in plain text.will look into it deeper tomorrow. :rolleyes:

Edited by deepzero, 01 October 2010 - 06:10 PM.

  • Rachel likes this

#6 JMC31337

JMC31337

    Addict

  • (Full Member)
  • 309 posts
  • Gender:Male


  • Virgin Islands


Posted 04 October 2010 - 10:11 PM

Here are its 4 digitally signed drivers.
still looking for the main dll....

http://www45.zippyshare.com/v/63235727/file.html
pass: infected

edit:
found the main dropper.I extracted & unpacked the main dll from it.Dropper & decrypted+unpacked main dll here:
http://www34.zippyshare.com/v/83741603/file.html
pass: infected

in the dll one can actually see all these interesting strings in plain text.will look into it deeper tomorrow. :rolleyes:


What encryption was it K?
Shucks i may as well take a peek into Nuclear Technology myself...
NICE JOB!

yea sneak peek nothing... damn thats some complicated stuff right there

particularly interesting seeing that WinCC
SCADA System SIMATIC WinCC - Operator control and monitoring

Edited by JMC31337, 05 October 2010 - 01:28 AM.


#7 JMC31337

JMC31337

    Addict

  • (Full Member)
  • 309 posts
  • Gender:Male


  • Virgin Islands


Posted 09 October 2010 - 12:52 AM

You see how the StuxNet worm OPCODE totally disappears when ya get into the middle of it sometimes... nasty...

#8 parva

parva

    Newbie

  • (Junior)
  • 2 posts


  • Iran


Posted 04 November 2010 - 02:39 AM

What encryption was it K?
Shucks i may as well take a peek into Nuclear Technology myself...
NICE JOB!

yea sneak peek nothing... damn thats some complicated stuff right there

particularly interesting seeing that WinCC
SCADA System SIMATIC WinCC - Operator control and monitoring


hi, i have to analyse the main dll exports of stuxnet for my security in computer system's course project, does anyone have something useful for me?

#9 deepzero

deepzero

    Post Junkie

  • (Full Member+)
  • 1,102 posts
  • Gender:Male


  • European Union


Posted 04 November 2010 - 05:51 AM

main dll is in post#5, second link...

#10 parva

parva

    Newbie

  • (Junior)
  • 2 posts


  • Iran


Posted 04 November 2010 - 08:11 AM

main dll is in post#5, second link...

i found it, but i want to know how these resources and exports work, what is the result when they execute.

#11 chickenbutt

chickenbutt

    Mega Poster

  • (Full Member)
  • 231 posts
  • Gender:Male


  • Estonia


Posted 09 November 2010 - 06:51 AM

According to 'experts' anything that uses a shellcode propagation method is advanced..

This uses no decent DNS obfuscation and is easy to detect even without an ARK. It looks like it's vector is some proprietary server, and has heap spray to get pass page guards and ASLR. Most RK researchers probably don't bother because their is other stuff more advanced in the industrial>consumer sector that do stuff like flux DNS and writing outside partitions and injecting in drivers.

If you're on a FAT or NTFS partition on a laptop you probably have the computrace rootkit calling home every boot up AVs even keep the mapped PE out of HIPS and sigs ^^

#12 Peter Ferrie

Peter Ferrie

    just some random guy

  • (Full Member)
  • 152 posts
  • Gender:Male


  • Australia


Posted 10 November 2010 - 11:23 AM

According to 'experts' anything that uses a shellcode propagation method is advanced..


Stuxnet is advanced, but not because of the shellcode. The shellcode is very simple, it's everything else that it does that makes it advanced.

...has heap spray to get pass page guards and ASLR.


Stuxnet uses no heap spray. It does not need to - it knows exactly where the shellcode needs to be placed, because it can see the required pointer from user-mode.

#13 chickenbutt

chickenbutt

    Mega Poster

  • (Full Member)
  • 231 posts
  • Gender:Male


  • Estonia


Posted 11 November 2010 - 06:40 AM

Stuxnet is advanced, but not because of the shellcode. The shellcode is very simple, it's everything else that it does that makes it advanced.



Stuxnet uses no heap spray. It does not need to - it knows exactly where the shellcode needs to be placed, because it can see the required pointer from user-mode.


It's pretty obvious the author had access to binaries then to avoid an IDS..It's still not as interesting as some stuff on x86 that uses fluxdns and stores encrypted data outside partitions from inside native kernel code. Torpig and Rustock are being spread by shellcode droppers too.

If you think this is interesting go read about the computrace rootkit that is on most laptops and other consumer machines that maps from bios to FAT and NTFS, and is a hard coded exception in most AVs. or all the worms on cirrus banking network that they try to keep hidden. Politics brought this one into the mainstream.

Edited by chickenbutt, 11 November 2010 - 06:49 AM.


#14 Teddy Rogers

Teddy Rogers

    Site Administrator

  • (Administrator)
  • 10,308 posts
  • Gender:Male


  • Australia


Posted 20 November 2010 - 05:26 PM

Detailed analysis of the code in the Stuxnet worm has narrowed the list of suspects who could have created it.


http://www.bbc.co.uk...nology-11795076

I'm not quite sure how narrowed that can be... :dunno:

Ted.

#15 Syntax

Syntax

    Mega Poster

  • (Full Member)
  • 182 posts
  • Gender:Male


  • European Union


Posted 22 November 2010 - 11:57 AM

Stuxnet: A Breakthrough

http://www.symantec....et-breakthrough

#16 deepzero

deepzero

    Post Junkie

  • (Full Member+)
  • 1,102 posts
  • Gender:Male


  • European Union


Posted 01 December 2010 - 09:26 AM

just for the records, here is the dropper as it spreads via USB.

pass: infected

!!viewing the malicious .lnk files on an unpatched windows will get you infected immediately!!

the extracted main dll & the drivers can be found in post #5.

Attached Files


Edited by deepzero, 01 December 2010 - 09:27 AM.

  • Rachel likes this

#17 JMC31337

JMC31337

    Addict

  • (Full Member)
  • 309 posts
  • Gender:Male


  • Virgin Islands


Posted 15 December 2010 - 01:14 AM

anyone know why that opcode disappears when using ollydbg?

#18 evlncrn8

evlncrn8

    repoleved dip dna reverser

  • (Full Member)
  • 383 posts
  • Gender:Male


  • Ireland


Posted 15 December 2010 - 01:45 AM

what opcode?

#19 guest33

guest33

    Newbie

  • (Junior)
  • 1 posts


  • Afghanistan


Posted 28 December 2010 - 09:06 AM

Thanks for the files, even stuxnet is patched now I consider this as the work of a team of masterminds, probably the NSA, we will probably never know.

Goes into my collection of nasties.

#20 deepzero

deepzero

    Post Junkie

  • (Full Member+)
  • 1,102 posts
  • Gender:Male


  • European Union


Posted 28 December 2010 - 10:59 AM

Goes into my collection of nasties.


mind sharing that collection? :turned:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users