Stuxnet == Cyberweapon Prototype - General Security Discussions

Sh3llc0d3

Sounds like a good time to be working in IT security ;)

http://www.computerweekly.com/Articles/ ... curity.htm

S-P

Xin

The source of this was leaked also recently ;), time to be taking over some power stations

Sh3llc0d3

Yeah, shame they patched the vulnerabilities lol. Coding malware on that level would be awesome. They reckon it's the most advanced malware code they've seen, something like that anyway lol

mandi

I would like to share some of the information i knew about the stuxnet worm

"according to me the most interesting part was the worm is based on utilizing 4 exploits"

And the most amazing thing is they managed to exploit one of the security patch for one of the old exploit,I never heared or seen any thing like this...

this tells how dumb is the microsoft OS,it seems they are patching security holes poorly...

Also see here..


http&#58;//www&#46;flyingpenguin&#46;com/?p=8091&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+flyingpenguin+%28flyingpenguin%29

@Xinapse--->


The source of this was leaked also recently ;), time to be taking over some power stations

if possible can you share them please?

Xin

said:
I would like to share some of the information i knew about the stuxnet worm

"according to me the most interesting part was the worm is based on utilizing 4 exploits"

And the most amazing thing is they managed to exploit one of the security patch for one of the old exploit,I never heared or seen any thing like this...

this tells how dumb is the microsoft OS,it seems they are patching security holes poorly...

Also see here..
http&#58;//www&#46;flyingpenguin&#46;com/?p=8091&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+flyingpenguin+%28flyingpenguin%29
@Xinapse--->
The source of this was leaked also recently ;), time to be taking over some power stations 
if possible can you share them please?

I myself dont have it, i read on theregister that it has been leaked into the underground forums

McKittrick

i have not read alot about the stuxxnet worm. i am curious, why do they go through port 445? is the malware initiated through RPC and needs to bind to UUIDs from the portmapper? is it using named pipes?

Bursihido

[video=youtube]

m0rph

said:

i have not read alot about the stuxxnet worm. i am curious, why do they go through port 445? is the malware initiated through RPC and needs to bind to UUIDs from the portmapper? is it using named pipes?

This might explain some parts of it, obviously not all of it though. I was playing around with this exploit in the offsec labs...pretty powerful shit.

I mean the ingenuity that went into creating this attack vector is so astounding to me. Whether it was an individual that came up with the idea or a team of geniuses...it doesn't matter.

From what I understand there's this kind of flow of execution:

Attacker --&gt; &#91;Malicious WritePrinter Requests through port 445&#93; --&gt; &#91;Deletes files that are processed automatically in Wbem\Mof&#93; --&gt; &#91;Wbem\Mof automatically \"executes\" malicious WritePrinter requests&#93;

Target --&gt; &#91;Shell&#93; --&gt; Attacker

In words, the attacker sends malicious WritePrinter Requests to port 445 on the target and is subsequently stored in a .mof file in the Web\Mof directory. Then it deletes all other .mof files, and leaves itself as the only file to be "executed."

UUID's can be appended to the target from the WritePrinter requests. You can also prepend UUID's..... O.o

And yes it uses named pipes. You can actually name the smb pipe yourself, although the default value is "spoolss."

Port 445 can be changed to whatever smb port is sharing a printer. I'm assuming 445 is a default printer sharing port though. Could be wrong, but given the attack vector of metasploit's version, I'd say it's likely.

Anyway, here's what I've been ranting about:

http&#58;//www&#46;metasploit&#46;com/modules/exploit/windows/smb/ms10_061_spoolss

d4rkgt4

dangerous malware i have used it

Howdy, Stranger!

Top Posters

Who's Online (1)