Stuxnet update 10.20.10
Our paradigm Intel has been right on target.
- To escape detection while targeting every Windows OS from 2000 to 7, the attack team purchased each and every version of all antivirus products for each OS and then designed Stuxnet to ensure they wouldn't be noticed by any of them.
- Stuxnet is evolving its capabilities to infect systems and replicate within an organization, yet its payload remains unchanged. Meaning: the target remains the same ... and maybe the attackers aren't yet satisfied they've accomplished their mission.
- On the human-interest side, he noted that the reverse engineering paths he and his colleagues have been following are the same or similar to those blazed by the team who crafted the attack. Though lots of evidence points that way, Symantec (unlike Ralph Langner and others) is not ready to say that Iran's nuclear operations are the only or primary target of Stuxnet. There are still several parts of Stuxnet they've yet to crack and their research continues.
- In addition to phenomenal antivirus evasion techniques, Stuxnet includes lots of other stealth approaches and myriad attack strategies for getting past OS defenses, through firewalls, increasing its privileges, and much, much more.
Lots more to come out of the reverse engineering.G
Self-replicates through removable drives exploiting a vulnerability allowing auto-execution.
• Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732)
Spreads in a LAN through a vulnerability in the Windows Print Spooler.
• Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)
Spreads through SMB by exploiting the • Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).
Copies and executes itself on remote computers through network shares.•
Copies and executes itself on remote computers running a WinCC database server.•
Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded.
Updates itself through a peer-to-peer mechanism within a LAN.•
Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed.
Contacts a command and control server that allows the hacker to download and execute code, including up• dated versions.
Contains a Windows rootkit that hide its binaries.•
Attempts to bypass security products.•
Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabo• tage the system.
Hides modified code on PLCs, essentially a rootkit for PLCs.•