January 6, 2011

Stuxnet.A and propagation

Idt is basically a malware that finds the vulnerabilities in Microsoft windows and executes its routines that spreads through networks and removable drives. It has different names WORM_STUXNET.A, LNK_STUXNET.A, RTKT_STUXNET.A. It is programmed to target specific infrastructures which has raised many people's interest in this Particular malware.




 It basically has three components that work in a row a worm, a .lnk file and a rootkit.

WORM_STUXNET—
  1. The worm executes all routines related to the main payload of the attack. It uses certain vulnerabilities for its propagation and execution of certain routines. 
  2. It implements a Microsoft Remote Procedure Call to execute certain functions, enabling affected systems to communicate with one another and also tests for an active Internet connection on the affected system to communicate with a remote server.
  3. It is also the component responsible for attempting to access a database consistent with one used in Siemens WinCC systems.

LNK_STUXNET—This specially crafted .LNK file automatically executes the propagated copies of WORM_STUXNET. It exploits a vulnerability in the way Windows displays the icons of shortcut files and is basically employed by STUXNET for automatic execution.

RTKT_STUXNET—This rootkit component is mainly responsible for hiding all malicious files and processes to save the worm from being located. 

Its propagation: 


There are three main ways:
  • It uses Windows shortcut vulnerability (2568), which allows itself to spread via removable drives even if Autorun is disabled.It does so by exploiting another vulnerability to gain administrator previlages.
  • Secondly, it uses Printer Spooler vulnerability (2729) to spread via networks, if a system shares a printer over the network.
  • Lastly it uses the same vulnerability which DOWNAD/conflicker virus  
  • It installs itself in both server and client component for a Microsoft Remote Procedure Call by exploiting the conflicker's vulnerability and runs certain commands that will initiate malware on that infected system.  
  • It pings to the www.windowsupdate.com,  www.msn.com to check if there is active internet connection and sends and receives commands from malicious sites that are controlled by the hacker. 

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

Twitter Delicious Facebook Digg Stumbleupon Favorites More