Friday, October 1, 2010

Stuxnet Update: Dossier & FAQ

We’re pleased to announce we’ve compiled the results of many weeks of fast-paced analysis of Stuxnet into a white paper entitled the W32.Stuxnet Dossier. On top of finding elements we described in the ongoing Stuxnet summer blog series, you will find all technical details about the threat’s components and data structures, as well as high level information, including:
  • Attack scenario and timeline
  • Infection statistics
  • Malware architecture
  • Description of all the exported routines
  • Injection techniques and anti-AV
  • The RPC component
  • Propagation methods
  • Command and control feature
  • The PLC infector
The paper is scheduled to be delivered at the Virus Bulletin 2010 conference and can be downloaded here.


Stuxnet Questions and Answers

Q: Is it true that there's are biblical references inside Stuxnet?

A: There is a reference to Myrtus (myrtle plant). However, this is not "hidden" in the code. It's an artifact left inside the program when it was compiled. Basically this tells us where the author stored the source code in his system. The specific path in Stuxnet is: \myrtus\src\objfre_w2k_x86\i386\guava.pdb. The authors probably did not want us to know they called their project "Myrtus", but thanks to this artifact we do. We have seen such artifacts in other malware as well. The Operation Aurora attack against Google was named Aurora after this path was found inside one of the binaries: \Aurora_Src\AuroraVNC\Avc\Release\AVC.pdb.


Myrtus (myrtle) is a genus of one or two species of flowering plants in the family Myrtaceae (or Myrtle family), native to southern Europe and north Africa. Guavas are plants in the myrtle family (Myrtaceae) genus Psidium, which contains about 100 species of tropical shrubs and small trees.


Stuxnet Used in Blackhat SEO Campaign

As expected, criminals are now taking advantage of the notoriety of Stuxnet as a mechanism to deploy malicious code. Senior Threats Researcher Ivan Macalintal found poisoned search results that leveraged on this notorious malware threat. Some of the search strings used in this blackhat SEO campaign include “stuxnet SCADA,” “stuxnet removal tool,” “stuxnet cleanup,” “stuxnet siemens,” and “stuxnet worm” among others. Some of these poisoned search words/phrases appeared on top results.

No comments:

Post a Comment