1/6/2019 0 Comments Intuiface Presentation Keygens• Stuxnet is an Advanced Persistent Threat (APT) that was targeted at a specific manufacturing facility. (Named for a string of letters buried in its code) • It is (was at the time of its discovery) the most complicated virus / worm ever discovered. • Average viruses are about 10k bytes in size. Stuxnet was 500 KB (and no graphics). • It is unusual for a virus to contain one zero-day vulnerability. Stuxnet had 4. • Stuxnet also acted like a rootkit – hiding its actions and its presence. • It was the first virus to include code to attack Supervisory Control and Data Acquisition (SCADA) systems. November 20, 2008 Trojan.Zlob variant found to be using the LNK vulnerability only later identified in Stuxnet. Windows 7 Download periodically updates pricing and information of IntuiFace Composer free download from the publisher, but some information may be out-of-date. Using cracks, warez serial numbers, registration codes or keygens for IntuiFace Composer license key is illegal. April, 2009 Security magazine Hakin9 releases details of a remote code execution vulnerability in the Printer Spooler service. Later identified as MS10-061. June, 2009 Earliest Stuxnet sample seen. Does not exploit MS10-046. Does not have signed driver files. January 25, 2010 Stuxnet driver signed with a valid certificate belonging to Realtek Semiconductor Corps. March, 2010 First Stuxnet variant to exploit MS10-046. June 17, 2010 Virusblokada reports W32.Stuxnet (named RootkitTmphider). Reports that it’s using a vulnerability in the processing of shortcuts/.lnk files in order to propagate (later identified as MS10-046). July 13, 2010 Symantec adds detection as W32.Temphid (previously detected as Trojan Horse). July 16, 2010 Microsoft issues Security Advisory for “Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)” that covers the vulnerability in processing shortcuts/.lnk files.Verisign revokes Realtek Semiconductor Corps certificate. July 17, 2010 Eset identifies a new Stuxnet driver, this time signed with a certificate from JMicron Technology Corp July 19, 2010 Siemens report that they are investigating reports of malware infecting Siemens WinCC SCADA systems. Symantec renames detection to W32.Stuxnet. July 20, 2010 Symantec monitors the Stuxnet Command and Control traffic. July 22, 2010 Verisign revokes the JMicron Technology Corps certificate. August 2, 2010 Microsoft issues MS10-046, which patches the Windows Shell shortcut vulnerability. August 6, 2010 Symantec reports how Stuxnet can inject and hide code on a PLC affecting industrial control systems. September 14, 2010 Microsoft releases MS10-061 to patch the Printer Spooler Vulnerability identified by Symantec in August. Microsoft report two other privilege escalation vulnerabilities identified by Symantec in August. September 30, 2010 Symantec presents at Virus Bulletin and releases comprehensive analysis of Stuxnet. • Removable drive contains: • 2 tmp files: file names variable (∑ mod 10 = 0) • ~WT4132.tmp – main DLL ~500KB • ~WT4141.tmp – loader for main dll ~25KB • 4.lnk files: • Multiple links needed to attack different versions of Windows (W2k, WXP, Serv2003, Vista, W7) • Removable drive only infects a max of 3 hosts, and then erases itself. • Host only infects a new removable drive if: • Drive is not already infected • Infection is less than 21 day sold • Drive has more than 5 MB of free space • Drive has more than 3 files on it. • Carried by flash drive • Copies to open file shares • Passed through vulnerable print spooler code (zero-day vulnerability – MS 10-061) • Passed the RPC vulnerability found in Conficker(MS-08-067) • Create a vulnerable scheduled task, then modify the task and pad until its CRC32 matches original task. (Will now run under scheduler.) Creates rootkit for Vista+ • Allows users to load different keyboard layouts. Can be loaded from anywhere. Load pointers and then transfer to code. Creates rootkit for Windows XP. • Data Blocks (DB) contain program-specific data, such as numbers, structures, and so on. • System Data Blocks (SDB) contain information about how the PLC is configured. They are created depending on the number and type of hardware modules that are connected to the PLC. • Organization Blocks (OB) are the entry point of programs. They are executed cyclically by the CPU. In regards to Stuxnet, two notable OBs are: • OB1 is the main entry-point of the PLC program. It is executed cyclically, without specific time requirements. • OB35 is a standard watchdog Organization Block, executed by the system every 100 ms. This function may contain any logic that needs to monitor critical input in order to respond immediately or perform functions in a time critical manner. • Function Blocks (FC) are standard code blocks. They contain the code to be executed by the PLC. Generally, the OB1 block references at least one FC block. • Check PLC code for PLC type. Looking for 6ES7-315-2 • If found, check SDB for Profibus communications processor CP342-5 (used to control a number of devices, including frequency converters). • Now, look for at least 33 specific freq.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |