Stuxnet is a computer worm discovered in July 2010 Stuxnet is a large, complex piece of malware with many different components

and functionalities. Stuxnet is a threat that was primarily written to target an industrial control system or set of similar systems. It's been called a military-grade guided cyber missile and a hyper sophisticated cyber weapon and the hack of the century Spreads over the network and removable storage (USB)

There is No Evidence Beyond Rumor

Israel, US and Siemens Company was considered to design this Virus.

Us was also involved in TESTING and DEVELOPMENT.

The finger was even pointed to Siemens where the software was used by Iranian

Organization Stuxnet consists of a large .dll file 32 Exports (Function goals) 15 Resources (Function methods)

Stuxnet contacts the command and control server Test if can connect to: x www.windowsupdate.com x www.msn.com On port 80 Sends some basic information about the compromised computer to the attacker www.mypremierfutbol.com www.todaysfutbol.com The two URLs above previously pointed to servers in Malaysia and Denmark

autorun.inf .LNK vulnerability, unpatched at the time of discovery Network shares Printer Spooler vulnerability unpatched at the time of discovery NetPathCanonicalize vulnerability what Conficker/Downadup uses, fixed in 2008 Default password in WinCC SQL database server These could spread over USB, e-mail, etc

Stuxnet has the ability to hide copies of its files to copy it to removable drives Stuxnet extracts Resource 201 as MrxNet.sys. The driver is registered as a service creating the following registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet \ImagePath = %System%\drivers\mrxnet.sys The driver file is a digitally signed with a legitimate Realtek digital certificate. The driver then filters(hides) files that : x Files with a .LNK extension having a size of 4,171 bytes. x Files named ~WTR[FOUR NUMBERS].TMP,

x whose size is between 4Kb and 8Mb; the sum of the four numbers, modulo 10 is null. For example, 4+1+3+2=10=0 mod 10
x Examples:

x Copy of Copy of Copy of Copy of Shortcut to.lnk x Copy of Shortcut to.lnk x ~wtr4141.tmp

LNK Vulnerability (CVE-2010-2568)

AutoRun.Inf

Run the Symantec Power Eraser with the Symantec Endpoint Protection Support Tool Symantec Power Eraser Overview If you have an infected Windows system file, you may need to replace them using from the Windows installation CD.

Restoring settings in the registry: Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Use a firewall to block all incoming connections from the Internet to services that should not be publicly available Enforce a password policy Disable AutoPlay Turn off file sharing if not needed Turn off and remove unnecessary services Always keep your patch levels up-to-date

Stuxnet represents the first of many milestones in malicious code history It is the first to exploit multiple 0-day vulnerabilities, Compromise two digital certificates, And inject code into industrial control systems and hide the code from the operator. Stuxnet is of such great complexity Requiring significant resources to develop That few attackers will be capable of producing a similar threat Stuxnet has highlighted direct-attack attempts on critical infrastructure are possible and not just theory or movie plotlines.