APT (Targeted attacks)

Over the last few days, Stuxnet has been covered extensively in the mass media. And it’s been covered differently by different sources. “Iran”, “Bushehr nuclear plant” and “cyber-weapon” are phrases which are already inexorably linked to Stuxnet.

Over the past few weeks the AV industry has continued to focus its research efforts on the Stuxnet worm. We blogged about what we found while we were investigating the malware; our Stuxnet series may have come to an end, but that doesn’t mean we’ve stopped our research.

So far in our series about Stuxnet we’ve focussed on the main issue: the threat posed by the zero-day vulnerability in the processing of LNK files, and the fact that cybercriminals have somehow got their hands on digital certificates. What we haven’t done in any detail is look at the worm’s functionality.

A few days ago we wrote about a new variant of the Stuxnet worm’s rootkit component, signed not with Realtek’s digital signature, but with one owned by JMicron. Costin posted about it in detail.

FAQ about the stolen JMicron and Realtek certificates.

A theory about the certificates used to sign the Stuxnet trojan drivers.

The geographical distribution of Stuxnet infections is just as interesting as the Trojan itself. We detect the rootkit component (the signed drivers) as Rootkit.Win32.Stuxnet, and the other files as Trojan-Dropper.Win32.Stuxnet.

Having finished episode 1 on a botanical note, let’s continue our trip into the undergrowth by taking a look at the Stuxnet Trojan’s digital signature.

Myrtus and Guava, Episode 1

Cybercriminals use a variety of bots to conduct DDoS attacks on Internet servers. One of the most popular tools is called Black Energy 2. This malicious program is the subject of this article.