Recognize-Security » Malware

Stuxnet

Trancer — Mon, 27 Sep 2010 23:17:36 +0000

What can I say about the Stuxnet worm that hasn’t been said yet… It is one of the most media covered (read hyped) Malware\attack recently. The Stuxnet worm is by far the most sophisticated Malware ever seen.

Here are some of the highlights of the Stuxnet worm:

Discovered in June 2010 by VirusBlokAda, a Belarus based Anti-Virus vendor.
Targets Supervisory Control And Data Acquisition (SCADA) systems, specifically Siemens SIMATIC WinCC and PCS 7.
Programmable Logic Controllers (PLCs) reprogram capability.
Using three deferent vulnerabilities to spread itself, CVE-2010-2568 CPLINK vulnerability (MS10-046), CVE-2010-2729 Printer Spooler vulnerability (MS10-061) and CVE-2008-4250 Windows Server Service RPC Handling vulnerability (MS08-067) which was used by the Conficker worm. The first two were 0days.
Two more zero-day exploits which are still unpatched, both of them exploit privilege escalation vulnerabilities, one for Windows XP/2000 (via Keyboard layout file) and the second for Windows Vista/7 (via Task Scheduler).
Using a zero-day vulnerability in Siemens WinCC which abuses hard-coded credentials (uid=WinCCConnect;pwd=2WSXcder) and allows local users to access a back-end database and gain privileges (CVE-2010-2772)
Payloads are digitally signed by two stolen certificates of JMicron Technology Corporation and Realtek Semiconductor Corp (MrxCls.sys and MrxNet.sys)

Yeah, I know. That is one crazy worm.
Because of its complexity and sophistication, the knowledge it requires for attacking industrial infrastructure and the use of four deferent zero-day exploits, it is believed that the Stuxnet worm is a nation funded attack. Israel, the United States and NATO are the most speculated origins and the Bushehr Nuclear Power Plant or the Natanz nuclear facility are the most speculated targets. Whoever built it left almost no clues (b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb). But in my opinion, with the amount of sophistication put in this attack, we’ll probably never get answers for these questions.

For further information and technical analysis of the Stuxnet worm I recommend reading:
– ESET analysis of the Stuxnet worm and compression to Operation Aurora – Stuxnet Under the Microscope or online on Google Docs.
– Symantec wrote some very detailed posts on Stuxnet – Symantec Connect.
– Langner security analysis of Stuxnet – Stuxnet is a directed attack — ‘hack of the century’.
– Securelist blog on Stuxnet.
– Stuxnet Questions and Answers by F-Secure.
– Symantec released a technical analysis white paper – W32.Stuxnet Dossier or online on Google Docs.

Update:
For anyone interested, here’s a sample of Win32/Stuxnet.A provided by Abysssec for educational purposes only – Stuxnet_stub_Unpacked.zip (password: abysssec).

Twitter XSS Worms

Trancer — Mon, 13 Apr 2009 19:35:26 +0000

For the past few days two web worms are spreading through Twitter, the popular social micro-blogging utility. The first worm, called the “StalkDaily” worm, start spreading on Saturday, infect user profile pages, steal users browser cookies and post unwanted tweets. A second variation called the “Mikeyy” worm, start spreading on Sunday and does pretty much the same.
The worms use a Cross-Site Scripting and Cross-Site Request Forgery vulnerabilities to spread, which the Twitter guys already closed.
Both worms were created by Michael “Mikeyy” Mooney, a 17 year old teenager. You can read an interview with Mooney on CNET News.

Here’s both “StalkDaily” worm and “Mikeyy” worm JavaScript code, for educational purposes.

Further reading:
Twitter Blog: Wily Weekend Worms.
F-Secure – Twitter worm outbreak over Easter.
Twitter Worm Analysis by Ryan Barnett.

Conficker

Trancer — Sun, 01 Mar 2009 15:17:46 +0000

Right after an exploit code was published for the MS08-067 vulnerability it was only a matter of time until virus coders will write a virus that use this vulnerability to spread.
Well, exploiting this vulnerability is one of the techniques the Conficker (aka Downadup and Kido) virus use to spread itself, and that’s what makes it so dangerous.
With more then 20 millions infected computers out there, security firms say it is the severest computer virus since the SQL Slammer, and Microsoft is going nuts over it, offering a $250,000 bounty for information leading to the catch of the guys who created and/or distribute the virus.
In my opinion, 20 million is a really rough estimate of the infected computers out there. I believe the numbers are greater, due to the fact that the virus also spread itself through portable storage devices (USB drives and other removable media) and by that slipping in to organizations internal networks. Here’s where the numbers are getting blurry, we don’t know what’s the virus infection scale inside these internal networks, where it can spread much more easily using network shares, computers with weak passwords and exploiting the MS08-067 vulnerability.
It’s a known fact that the software and operating systems inside these organizations internal networks aren’t always up-to-date, and sometimes it takes months, if not years, for these organizations to update their computers.
It happens mostly when vendors release major service packs or… after a virus infects their networks :-)
Conficker is that example, a lesson for all these organizations that doesn’t patch their systems. I guess they need these kind of lesson every once and a while.
Even the IDF internal networks got infected by Conficker (Hebrew).

Conficker comes in three variants – Win32/Conficker.A, Win32/Conficker.B and Win32/Conficker.B++.
SRI International Malware Threat Center wrote a great analysis for the virus and all the variants here – An Analysis of Conficker’s Logic and Rendezvous Points.
See also:
Downadup – Advanced Crypto Protection by Elia Florio of Symantec.
Microsoft help protecting yourself against the Conficker worm.

Update:
Win32/Conficker.C is on the loose, armed with more self protection mechanisms and a larger domain pool.
On April 1st, Conficker.C will attempt to dial home to 500 random domains out of 50000 generated domains. A great change from the previous variants that would dial home to 32 out of 250 domains.
This time the worm is also much more violent and will attempt to disable Windows Automatic Updates and stop access to the Windows Security Center, also killing anti-virus processes, preventing access to anti-virus websites, delete system restore points, disable various protection services such as Windows Defender and the Windows Error Reporting Service and much more.

For a detailed analysis of Conficker.C, check the CA Win32/Conficker.C Virus Analysis and the SRI International Malware Threat Center analysis of Conficker C.
Also see this Detecting Conficker in your Network paper.

See you on Conficker.D ?!