Monday, October 4, 2010

Stuxnet Quick RE and Demo

Stuxnet is one of sophisticated worm we ever know so far at least for 2010. And this type of worm is rarely can be found and could be a few year at once. Most of malware analyst getting interest to their hardware control functionality which is control the Programming Logic Controller (PLC) and most of it used by factories that attached with machinery.

A Youtube video below show you a demonstrates proof of concept how Stuxnet-like taking over the PLC that changes the air-pump operation during Virus Bulletin 2010 Conference in Vancouver by Liam O'Murchu.


Stuxnet taking me a week to analyze every portion of code since its complexity of code and come with some encrypted form could take several more days to come up any new things. In this blog shows you a quick analysis.

Stuxnet has uses 5 different Windows vulnerabilities which is LNK (MS10-046), Print Spooler (MS10-061), Server Service (MS08-067), Privilege escalation via Keyboard layout file and Privilege escalation via Task Scheduler. Currently there is two vulnerabilities not patched yet.


Found few interesting strings here. Show the directory of the stuxnet source code. 'Myrtus' and 'Guava' is most probably plants that commonly planted in some country used by author. Stuxnet also uses a stolen digital sign from Realtek Semiconductor Corp. to confuse the user or advanced user about valid driver has been installed but too bad the digital sign has been revoke.


Based on RE after being unpacked, the picture above shows some portion of code. This part is attempt to inject its special DLL name into the targeted system processes. It does not exist on the disk and its remain in memory.

There is a lot of speculation and probably a propaganda from various source relating to Israel and Iran. The author of the Stuxnet probably take a big LOL to the analyst due to the inappropriate speculation from the media. Need to check carefully.

There is few rumors that the Stuxnet source code has been release but what I found is just like a decompiled source code and probably using Hexray decompiler. >> https://github.com/Laurelai/decompile-dump

Last Update: 07 Oct 2010, 10:04 AM