[Brookit]

Stuxnet: A Breakthrough

http://www.symantec.com/connect/blogs/s ... eakthrough

[Meriadoc]

TrendLabs has created a STUXNET Scanner Tool to further help administrators with clues to determine which computers in their networks are still infected by STUXNET.

[gjf]

News: Stuxnet code leaks to some underground forum. Someone knows which one?

[blast]

Someone can help or tell as to get a file or dump with a code privilege escalation via keyboard layout file (ms10-073). thanks.

[gjf]

Looks like non-private exploits become more popular, yeah? ;)

[EP_X0FF]

@blast

Stuxnet uses special dll for this purpose.

[Cr4sh]

Someone can help or tell as to get a file or dump with a code privilege escalation via keyboard layout file (ms10-073). thanks.

Set bp on win32k!NtUserLoadKeyboardLayoutEx and run sample from this thread. When bp occurs - trace from syscall return back to the malware code. And finnaly, trace malware code up to the SendInput() call.
You sould see something like this (HexRays): http://www.everfall.com/paste/id.php?2p9sflyub177

[blast]

EP_X0FF, Cr4sh. big thanks.

Cr4sh: Problem in that that I can't start any sample from this thread. Maybe problem in vmware setting or somthing like that, my friend have the same problems.

[EP_X0FF]

Try this. Rename both files to their original names.
~wtr4141.tmp for dll
~wtr4132.tmp for dropper

put them together somewhere on disk (for example in root dir)

cmd -> start c:\~wtr4132.tmp

It should work.

[a_d_13]

Hello,

Iran has confirmed that Stuxnet has caused problems for some of their nuclear enrichment facilities. I think this is as close to a confirmation that we will ever see ;)

Thanks,
--AD