A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3762  by blast
 Mon Nov 29, 2010 1:25 pm
Someone can help or tell as to get a file or dump with a code privilege escalation via keyboard layout file (ms10-073). thanks.
 #3764  by EP_X0FF
 Mon Nov 29, 2010 2:46 pm
@blast

Stuxnet uses special dll for this purpose.
Attachments
pass: malware
(19.55 KiB) Downloaded 89 times
 #3765  by Cr4sh
 Mon Nov 29, 2010 4:09 pm
blast wrote:Someone can help or tell as to get a file or dump with a code privilege escalation via keyboard layout file (ms10-073). thanks.
Set bp on win32k!NtUserLoadKeyboardLayoutEx and run sample from this thread. When bp occurs - trace from syscall return back to the malware code. And finnaly, trace malware code up to the SendInput() call.
You sould see something like this (HexRays): http://www.everfall.com/paste/id.php?2p9sflyub177
 #3766  by blast
 Mon Nov 29, 2010 5:05 pm
EP_X0FF, Cr4sh. big thanks.

Cr4sh: Problem in that that I can't start any sample from this thread. Maybe problem in vmware setting or somthing like that, my friend have the same problems.
 #3769  by EP_X0FF
 Mon Nov 29, 2010 5:49 pm
Try this. Rename both files to their original names.
~wtr4141.tmp for dll
~wtr4132.tmp for dropper

put them together somewhere on disk (for example in root dir)

cmd -> start c:\~wtr4132.tmp

It should work.
Attachments
pass: malware
(511.74 KiB) Downloaded 139 times
 #3773  by a_d_13
 Mon Nov 29, 2010 11:42 pm
Hello,

Iran has confirmed that Stuxnet has caused problems for some of their nuclear enrichment facilities. I think this is as close to a confirmation that we will ever see ;)

Thanks,
--AD
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7