Stuxnet

abalfazl · October 19, 2010, 6:15am

Stuxnet.A creates the following files:

* MRXCLS.SYS and MRXNET.SYS, in the folder drivers of the Windows system directory. These files belong to the malware detected as Rootkit/TmpHider. [B]These files have the digital signatures of certain companies, which have been supposedly stolen from them. The aim is to pass themselves as legitimate files.[/B]

Please explain more about bold files

abalfazl · October 22, 2010, 5:21pm

Stuxnet.A creates several random mutexes, in order to ensure that only a copy of the worm is active at any moment.

if it wants to make sure only one stux is running then it must create mutex for evey computer. what does it mean by several random mutexes?

which resource locks by this mutex?

RosBlanc · October 20, 2010, 5:12pm

Also Stuxnet is just for attacking some industrial systems, not home or office systems. And their mainly target were iran factories or industries, and china ones. Don’t worry it wont do anything on any home or office pc, unless they are in the specific target list of stuxnet.

Aleksejs · October 19, 2010, 11:53am

On bold lines:
It means that the authors of this malware somehow got hold of legitimate code signing keys (or could some how trick affected software companies to sign) that are used to sign drivers in windows ( http://www.microsoft.com/whdc/driver/install/drvsign/default.mspx )

More on stuxnet:
http://www.schneier.com/blog/archives/2010/10/stuxnet.html
http://www.h-online.com/security/news/item/Stuxnet-worm-can-control-industrial-systems-1080751.html
http://www.h-online.com/security/news/item/Stuxnet-also-found-at-industrial-plants-in-Germany-1081469.html
http://www.h-online.com/security/news/item/Vulnerability-exploited-by-Stuxnet-discovered-more-than-a-year-ago-1095797.html
http://www.h-online.com/security/news/item/Iran-confirms-Stuxnet-cyber-attack-1096552.html
http://www.h-online.com/security/news/item/Stuxnet-brings-more-new-tricks-to-cyberwar-1098810.html
http://www.h-online.com/security/news/item/Stuxnet-strikes-China-1099519.html

abalfazl · October 26, 2010, 10:08am

May someone guide me

Aleksejs · October 26, 2010, 10:57am

Basically it means that this virus creates multiple values (files/registry entries) that it checks to see if that system is already infected and by which version of virus.

abalfazl · November 18, 2010, 5:33pm

The Department of Homeland Security (DHS) and a team at the national lab have reverse-engineered and decoded Stuxnet

http://news.yahoo.com/s/csm/20101118/ts_csm/344234
May someone explain about how to decode stuxnet?

markosolo · November 25, 2010, 10:30am

It possible to reverse engineer pretty much any program, however its a complex business. And you would need some knowledge at least of shellcoding and assembly.

There is a dossier available on Stuxnet, I read it a few weeks back, it was made by Symantec and is about 60 pages long but it is a good read.

All the best,

Mark

abalfazl · November 27, 2010, 6:14am

Is there anyone to explain how to decode stuxnet?May you explain more about how to decode it? Is it by assembly?

Aleksejs · November 27, 2010, 1:10pm

Stuxnet is one of most advanced malware known to general public. It is made by highly skilled developers with the aim to make reverse engineering it very difficult, even for people who possess necessary skills and resources. And yet you wish to reverse engineer it yourself… Google for disassembly, malware forensics. Look through giac.org / sans.org certification materials and whitepapers on software forensics. Or to get the picture - try figuring out the exact algorithm of tracert.exe utility that comes with windows.