A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1661  by gR1
 Fri Jul 23, 2010 6:27 pm
gjf wrote:
gR1 wrote: ~WTR4141.tmp (~25Kb) file (which I've renamed to dll.dll for convenience)
It's not clear: have you remained the original name or "dll.dll"? If the name was not original it will not perform regsvr32 operation from LNK so the installation will be incomplete.

Possibly this is the point.
I forgot to mention that I've also tried with various names for the ~25Kb file, ~wtr.dll, ~wtr.tmp, etc. including ~WTR4141.tmp (original name), but not one worked as desired.
I'll attach what I currently have, if someone is kind to take a look, I'll appreciate it. :)
I'm probably making a mistake in the .lnk file somewhere... :/
Pass: infected
(509.49 KiB) Downloaded 165 times
 #1744  by EP_X0FF
 Tue Aug 03, 2010 1:21 am
Official patch for LNK "feature" has been released.
 #2744  by Mehdi
 Mon Sep 13, 2010 10:46 am
As you know, the machines infected with Stuxnet, call back to C&C servers with a DATA field that starts with 66a96e28 .
This DATA is encrypted (XOR-ed) with a 31 byte key that I think this key is embedded within the DLL.
Do you know what's the key? or how we can decode the DATA field?
Thanks
 #2776  by EP_X0FF
 Sat Sep 18, 2010 2:14 am
__Genius__ wrote:Anybody has been analyzed this malware throughly?
Well it is not surprise and not secret anymore.
Stuxnet is (c) Mossad and it's main target was atomic plant in Busher, Iran.
 #2786  by gjf
 Sat Sep 18, 2010 7:09 pm
EP_X0FF wrote:Stuxnet is (c) Mossad and it's main target was atomic plant in Busher, Iran.
Proof links? Al it is just a rumor?
 #2787  by swirl
 Sat Sep 18, 2010 11:38 pm
gjf wrote:Proof links? Al it is just a rumor?
I don't think we will have any sort of proof.. but seems a plausible hypothesis
given that stuxnet spreaded mostly in Iran and considering it's final aim.
Most of the media hype and analysis focused on the .LNK vuln and in the later days on
the 3 more vulns included but I didn't found much about WHAT was the aim
of the worm: lots of articles on how it spreaded but not much on what it was
supposed to do, except this one http://www.langner.com/en/index.htm

my 2 cents ;)
 #2798  by gjf
 Sun Sep 19, 2010 12:14 pm
Actually it was not Iran, but India and Indonesia:
Image
But there is another statistics:
Image
so there is no only one opinion.

BTW it was found Stuxnet is intended to get access to Siemens WinCC, and I am not sure Germany have sold some software and industrial systems to Iran.

So it is not clear Iran is primary target. That's why I've asked about proof links.
 #2799  by EP_X0FF
 Sun Sep 19, 2010 12:40 pm
India and Indonesia only because they have more computers.

Atomstroyexport has also business in India btw ;)

And everything was told one year ago :)

http://www.ynetnews.com/articles/0,7340 ... 60,00.html

What about Siemens, well it's used on Busher.

http://www.ynetnews.com/articles/0,7340 ... 63,00.html

As in fact sabotage seems to be was successful.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7