JMC31337 Posted September 28, 2010 Share Posted September 28, 2010 this is what a could find and rar up 2 tmp files1 exe that is really a dll1 lnk file1 lnk file (suckme)1 sys file1 dll file (suckme)vidnux.comoffensivecomputing4sharedit may still yet be incomplete.. so if it is.. lemme know.. there are 2 sys files yet i could only find 1... sites are listed that i found parts of this worm at...rar passwd: infectedStuxNet.rar 1 Link to comment Share on other sites More sharing options...
Syntax Posted September 30, 2010 Share Posted September 30, 2010 Interesting./>http://www.pcworld.com/businesscenter/article/205827/was_stuxnet_built_to_attack_irans_nuclear_program.html Link to comment Share on other sites More sharing options...
JMC31337 Posted September 30, 2010 Author Share Posted September 30, 2010 (edited) Interesting./>http://www.pcworld.com/businesscenter/article/205827/was_stuxnet_built_to_attack_irans_nuclear_program.htmlOf course it was, at least Variant B, though i care less about decoding as i dont have the system that it was designed for, nor do i feel like making "fake" system to get StuxNet to do its thing. In other words is it possible that if StuxNet B is looking for this File we can create that "fake" file and make it think we are real. I dunno.. Btw 2 things1) Security advisors have stated it was designed to attack that plant2) the 2 tmp and 1 lnk files are indeed StuxNet Bkeep in mind most Botnet files are 15kb in size, these tmp files at least that 1 are upwards to 500kb, i would be very interested in knowing how the BOTNET portion of this worm actsnow according to wiki, Israel and USA are allies. So to hear the security industry point fingers at 1 or the other, is ridiculous.. they are both 1 on the same team Edited September 30, 2010 by JMC31337 Link to comment Share on other sites More sharing options...
deepzero Posted October 1, 2010 Share Posted October 1, 2010 thanx for the links guys, all bookmarked. I am not able to find a full set of stuxnet files though, especially the 1,18 MB main dll file. anyone...? Link to comment Share on other sites More sharing options...
deepzero Posted October 1, 2010 Share Posted October 1, 2010 (edited) Here are its 4 digitally signed drivers. still looking for the main dll.... http://www45.zippyshare.com/v/63235727/file.html pass: infected edit: found the main dropper.I extracted & unpacked the main dll from it.Dropper & decrypted+unpacked main dll here: http://www34.zippyshare.com/v/83741603/file.html pass: infected in the dll one can actually see all these interesting strings in plain text.will look into it deeper tomorrow. Edited October 2, 2010 by deepzero 1 Link to comment Share on other sites More sharing options...
JMC31337 Posted October 5, 2010 Author Share Posted October 5, 2010 (edited) Here are its 4 digitally signed drivers. still looking for the main dll.... http://www45.zippyshare.com/v/63235727/file.html pass: infected edit: found the main dropper.I extracted & unpacked the main dll from it.Dropper & decrypted+unpacked main dll here: http://www34.zippyshare.com/v/83741603/file.html pass: infected in the dll one can actually see all these interesting strings in plain text.will look into it deeper tomorrow. What encryption was it K? Shucks i may as well take a peek into Nuclear Technology myself... NICE JOB! yea sneak peek nothing... damn thats some complicated stuff right there particularly interesting seeing that WinCC SCADA System SIMATIC WinCC - Operator control and monitoring Edited October 5, 2010 by JMC31337 Link to comment Share on other sites More sharing options...
JMC31337 Posted October 9, 2010 Author Share Posted October 9, 2010 You see how the StuxNet worm OPCODE totally disappears when ya get into the middle of it sometimes... nasty... Link to comment Share on other sites More sharing options...
parva Posted November 4, 2010 Share Posted November 4, 2010 What encryption was it K?Shucks i may as well take a peek into Nuclear Technology myself...NICE JOB!yea sneak peek nothing... damn thats some complicated stuff right thereparticularly interesting seeing that WinCCSCADA System SIMATIC WinCC - Operator control and monitoringhi, i have to analyse the main dll exports of stuxnet for my security in computer system's course project, does anyone have something useful for me? Link to comment Share on other sites More sharing options...
deepzero Posted November 4, 2010 Share Posted November 4, 2010 main dll is in post#5, second link... Link to comment Share on other sites More sharing options...
parva Posted November 4, 2010 Share Posted November 4, 2010 main dll is in post#5, second link...i found it, but i want to know how these resources and exports work, what is the result when they execute. Link to comment Share on other sites More sharing options...
chickenbutt Posted November 9, 2010 Share Posted November 9, 2010 According to 'experts' anything that uses a shellcode propagation method is advanced..This uses no decent DNS obfuscation and is easy to detect even without an ARK. It looks like it's vector is some proprietary server, and has heap spray to get pass page guards and ASLR. Most RK researchers probably don't bother because their is other stuff more advanced in the industrial>consumer sector that do stuff like flux DNS and writing outside partitions and injecting in drivers.If you're on a FAT or NTFS partition on a laptop you probably have the computrace rootkit calling home every boot up AVs even keep the mapped PE out of HIPS and sigs ^^ Link to comment Share on other sites More sharing options...
Peter Ferrie Posted November 10, 2010 Share Posted November 10, 2010 According to 'experts' anything that uses a shellcode propagation method is advanced..Stuxnet is advanced, but not because of the shellcode. The shellcode is very simple, it's everything else that it does that makes it advanced....has heap spray to get pass page guards and ASLR.Stuxnet uses no heap spray. It does not need to - it knows exactly where the shellcode needs to be placed, because it can see the required pointer from user-mode. Link to comment Share on other sites More sharing options...
chickenbutt Posted November 11, 2010 Share Posted November 11, 2010 (edited) Stuxnet is advanced, but not because of the shellcode. The shellcode is very simple, it's everything else that it does that makes it advanced.Stuxnet uses no heap spray. It does not need to - it knows exactly where the shellcode needs to be placed, because it can see the required pointer from user-mode.It's pretty obvious the author had access to binaries then to avoid an IDS..It's still not as interesting as some stuff on x86 that uses fluxdns and stores encrypted data outside partitions from inside native kernel code. Torpig and Rustock are being spread by shellcode droppers too.If you think this is interesting go read about the computrace rootkit that is on most laptops and other consumer machines that maps from bios to FAT and NTFS, and is a hard coded exception in most AVs. or all the worms on cirrus banking network that they try to keep hidden. Politics brought this one into the mainstream. Edited November 11, 2010 by chickenbutt Link to comment Share on other sites More sharing options...
Teddy Rogers Posted November 20, 2010 Share Posted November 20, 2010 Detailed analysis of the code in the Stuxnet worm has narrowed the list of suspects who could have created it. />http://www.bbc.co.uk/news/technology-11795076 I'm not quite sure how narrowed that can be... Ted. Link to comment Share on other sites More sharing options...
Syntax Posted November 22, 2010 Share Posted November 22, 2010 Stuxnet: A Breakthrough/>http://www.symantec.com/connect/blogs/stuxnet-breakthrough Link to comment Share on other sites More sharing options...
deepzero Posted December 1, 2010 Share Posted December 1, 2010 (edited) just for the records, here is the dropper as it spreads via USB.pass: infected!!viewing the malicious .lnk files on an unpatched windows will get you infected immediately!!the extracted main dll & the drivers can be found in post #5.stuxnet usb infection.rar Edited December 1, 2010 by deepzero 1 Link to comment Share on other sites More sharing options...
JMC31337 Posted December 15, 2010 Author Share Posted December 15, 2010 anyone know why that opcode disappears when using ollydbg? Link to comment Share on other sites More sharing options...
evlncrn8 Posted December 15, 2010 Share Posted December 15, 2010 what opcode? Link to comment Share on other sites More sharing options...
Guest guest33 Posted December 28, 2010 Share Posted December 28, 2010 Thanks for the files, even stuxnet is patched now I consider this as the work of a team of masterminds, probably the NSA, we will probably never know.Goes into my collection of nasties. Link to comment Share on other sites More sharing options...
deepzero Posted December 28, 2010 Share Posted December 28, 2010 Goes into my collection of nasties. mind sharing that collection? Link to comment Share on other sites More sharing options...
Anonymous 2012 Posted December 19, 2011 Share Posted December 19, 2011 @ JMC31337 Thanks for StuxNet virus and Happy New Year Link to comment Share on other sites More sharing options...
JMC31337 Posted December 29, 2011 Author Share Posted December 29, 2011 (edited) @ JMC31337 Thanks for StuxNet virus and Happy New Year Thanks for what??? Who is JMC31337 Whats a STUXNET Edited December 29, 2011 by JMC31337 Link to comment Share on other sites More sharing options...
0xFF Posted January 30, 2012 Share Posted January 30, 2012 I would lol if it was written in VB.... "Access violation XXXXXX @ XXXXXXXX msvb6.dll was not found" Link to comment Share on other sites More sharing options...
chickenbutt Posted March 29, 2012 Share Posted March 29, 2012 It was probably generated with a custom PE kit.Opcodes disappear because of threaded mutations and disassembler bugs. Use IDA and hook thread creation.If you invest any time into figure this out, all that it will result in is knowledge of it's actions and AV companies making money by ripping what you publish about it.. Same with any advanced protector. Link to comment Share on other sites More sharing options...
JMC31337 Posted April 21, 2012 Author Share Posted April 21, 2012 (edited) yea your damn right they will...It was probably generated with a custom PE kit.Opcodes disappear because of threaded mutations and disassembler bugs. Use IDA and hook thread creation.If you invest any time into figure this out, all that it will result in is knowledge of it's actions and AV companies making money by ripping what you publish about it.. Same with any advanced protector.yea your right they will and then get paid off by the govt...$$$ spent to teach em .. when other VX sites teach for freeehh ehh... Edited April 21, 2012 by JMC31337 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now