Slashdot Mirror

← Back to Stories (view on slashdot.org)

Same Platform Made Stuxnet, Duqu; Others Lurk

Posted by timothy on from the what-evil-lurks-in-the-hearts-of-men dept.

wiredmikey writes "New research from Kaspersky Labs has revealed that the platform dubbed 'tilded' (~d), which was used to develop Stuxnet and Duqu, has been around for years. The researchers say that same platform has been used to create similar Trojans which have yet to be discovered. Alexander Gostev and Igor Sumenkov have put together some interesting research, the key point being that the person(s) behind what the world knows as Stuxnet and Duqu have actually been using the same development platform for several years." An anonymous reader adds a link to this "surprisingly entertaining presentation" (video) by a Microsoft engineer, in which "he tells the story of how he and others analysed the exploits used by Stuxnet. Also surprising are the simplicity of the exploits which were still present in Win7." See also the report at Secureist from which the SecurityWeek story draws.

9 of 89 comments (clear)

  1. So Duqu also = CIA project? by RMingin · · Score: 3, Interesting

    Correct me if I'm wrong, but didn't the CIA totally deny not knowing who made Stuxnet, and that they were sure they totally weren't excluding themselves, and various other CIA double-negativisms that all but said "We did that?" Can't we just say "Duqu written by CIA, just like Stuxnet, on the same dev platform?"

    --
    The preceding comment is my own, and in no way construes an opinon of the Emperor of Mankind.
  2. Re:Windows 7 by man_of_mr_e · · Score: 4, Interesting

    Actually, if you watched the video, stuxnet was interesting because it used different 0-day exploits depending on which version of the OS was used. Only one of the exploits (the foothold exploit that allows the code to work in userland in the first place) worked on all versions of windows.

    So, what it really showed was that out of 5 exploits, only one worked across the whole platform, and that one only allowed userland access.

    --
    If you need web hosting, you could do worse than here
  3. Yea and ... by Osgeld · · Score: 4, Interesting

    I saw "printer on fire" the other day on my linux power pc (after installing a pci parallel port card) ...

    the thing is unless you want to fuck over X decades of the way shit was done your going to have old things pop up, like it or not that is the beat of the drum or else you end up with a trillion incompatible systems reminiscent of the early 1980's cheap home computer syndrome.

    Which if your not old enough to remember ... just the simple ability to transfer ascii text files from platform to another was a headache

    1. Re:Yea and ... by VortexCortex · · Score: 3, Interesting

      It wasn't a big deal. I used my BBS.

      Protip: Connect two PCs' modems to a single phone line. (Null modem works, but for portability we're going with the lowest common denominator).

      Some modems can be told to ignore the "No Carrier" error, so you can connect the PCs directly to each-other, but if yours can't, or the machines are in different rooms just connect the lines directly to the wall outlets to get the carrier...

      You can't ring yourself (unless you have two phone lines), so instead you just wait... The booo Dooo BEEEEP "Please Hang Up" (off-hook alert) plays. Then you wait some more for that to stop... Now you have an open phone line to connect two modems via. So all you have to do now is drop to the modem command mode (+++), and issue an ATDT on one PC (Hayes compatible: Attention Dial Tone), but you don't specify a phone number. To the the other PC's modem you issue: ATA (Attention, Answer). The handshake should begin and you can copy / paste ASCII text back and forth once the connection is established. I've used this trick recently with Xmodem, Kermit, etc to transfer Ethernet NIC driver sources, and other files in a pinch.

      Maybe transferring ASCII was a headache to you, but it was a breeze to me: even back then digital distribution was miles ahead of sneaker-net & proprietary file system formats...

  4. Re:Windows 7 by Anonymous Coward · · Score: 2, Interesting

    What I found interesting is the low code quality of Windows reflected in the exploits.
    Calling LoadLibrary (rather than LoadLibraryEx with LOAD_LIBRARY_AS_DATAFILE) if all you want to do is extract an icon?
    Using CRC32 to guard what is essentially trusted login information?
    Not range checking an index into a list of function pointers when you read it in?
    The print spooler can write arbitrary files? In the system directory of another computer? And it impersonates local system when acting on behalf of a guest?
    O_O ... was this code written by interns?

  5. Sad, isn't it? by msobkow · · Score: 1, Interesting

    Some companies are so slow to address reported and known security issues that the malware writers have time to not only create an exploit, but an entire framework for deploying it, and delivering multiple platform enhancements over the years.

    All while the vendor can't plug one stinking hole.

    --
    I do not fail; I succeed at finding out what does not work.
  6. Re:Windows 7 by Runaway1956 · · Score: 1, Interesting

    It's that "steadily pruning" that allows malware creators to keep up, or even to keep one step ahead of Microsoft.

    They need to make a clean break. The next release of Windows should be that clean break. Microsoft has masters of marketing in their employ. They can tell the world that everything from the old days is out the "Window", and none of it will work on Win8. And, they can hype it up in such a manner that even non-geeks get excited about it.

    I'll give grudging credit to Microsoft. Win7 is more secure than any of their previous operating systems. It's just not secure enough, because they have screwed up priorities. Put security first, convenience second, and backward compatibility a distant tenth place. "It might be nice if libraries X, Y and Z worked with Win8, so that Applications a thru z will run - but we're not going to waste time on them. Let the developers of X, Y and Z rewrite them to work in the new world, or they are history."

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  7. MS Versus Metasploit by superid · · Score: 4, Interesting

    The video is very interesting, but one thing really does annoy me. He talks about discovering the initial vuln and how they were able to understand it literally within minutes (around slide 15/16) and they realized how serious it was (100% successful loading of a DLL from a WebDAV path via LoadLib because control panel icons are handled in a different (broken) way).

    Hey says that the vuln existed for years and that a 7 year old could exploit it because it was included in Metasploit (slide 16). He clearly indicated that Metasploit knew about this before MS and that they were tipped off by 1 or 2 other 3rd party malware researchers who sent in "just another LNK exploit" that they happened to bother to look at. He even said "it's a good thing we did [look at it]".

    So this tells me that MS does NOT bother to review Metasploit scripts to get a leg up on zero days..... that surprised and annoys me.

  8. Linking DLL's from the net. Nice! by sgt+scrub · · Score: 4, Interesting

    In the video at 11:16'ish he says, "it is loading the dll from the net". Essentially Windows allows an attacker to build executables from library sources, disguised as icon containers, located anywhere on the net. Priceless!

    --
    Having to work for a living is the root of all evil.