Slashdot Mirror

← Back to Stories (view on slashdot.org)

Same Platform Made Stuxnet, Duqu; Others Lurk

Posted by timothy on from the what-evil-lurks-in-the-hearts-of-men dept.

wiredmikey writes "New research from Kaspersky Labs has revealed that the platform dubbed 'tilded' (~d), which was used to develop Stuxnet and Duqu, has been around for years. The researchers say that same platform has been used to create similar Trojans which have yet to be discovered. Alexander Gostev and Igor Sumenkov have put together some interesting research, the key point being that the person(s) behind what the world knows as Stuxnet and Duqu have actually been using the same development platform for several years." An anonymous reader adds a link to this "surprisingly entertaining presentation" (video) by a Microsoft engineer, in which "he tells the story of how he and others analysed the exploits used by Stuxnet. Also surprising are the simplicity of the exploits which were still present in Win7." See also the report at Secureist from which the SecurityWeek story draws.

10 of 89 comments (clear)

  1. Re:Happy new year by Hsien-Ko · · Score: 5, Funny

    Happy new year~

    There's no better way to kick off the new year on Slashdot with a Microsoft article.

  2. Re:Windows 7 by gman003 · · Score: 4, Funny

    Maybe you're both right: Microsoft will release a Linux distro. It will be both wildly successful and record-breakingly secure. It will also cure cancer, balance the US federal budget, and bring about world peace.

  3. Re:Windows 7 by man_of_mr_e · · Score: 4, Interesting

    Actually, if you watched the video, stuxnet was interesting because it used different 0-day exploits depending on which version of the OS was used. Only one of the exploits (the foothold exploit that allows the code to work in userland in the first place) worked on all versions of windows.

    So, what it really showed was that out of 5 exploits, only one worked across the whole platform, and that one only allowed userland access.

    --
    If you need web hosting, you could do worse than here
  4. Yea and ... by Osgeld · · Score: 4, Interesting

    I saw "printer on fire" the other day on my linux power pc (after installing a pci parallel port card) ...

    the thing is unless you want to fuck over X decades of the way shit was done your going to have old things pop up, like it or not that is the beat of the drum or else you end up with a trillion incompatible systems reminiscent of the early 1980's cheap home computer syndrome.

    Which if your not old enough to remember ... just the simple ability to transfer ascii text files from platform to another was a headache

    1. Re:Yea and ... by ThatsMyNick · · Score: 4, Funny

      You missed an important piece of information. Was your printer really on fire or not?

      And yeah I know, its woosh time.

  5. Re:Windows 7 by man_of_mr_e · · Score: 4, Insightful

    Windows is still hobbled by backwards compatibility. They have been steadily pruning the system of such compatibility issues over the years, but they still remain.

    The print spooler was a compatibility issue, and it wasn't writing files to the system directory of another computer. It was the remote print spooler that was writing to its own system directory.

    The shell icon extraction code was probably written for Windows 95, and the LoadLibraryEx was not added until Windows 2000. This is why it was the only exploit that worked on all systems.

    The CRC32 bit was definitely not well thought out, but it was most likely not considered to be an attack vector, and only there to prevent file corruption... for which CRC32 is fine.

    There are going to be bugs in any non-trivial code, and Windows has a lot of code. Just like Linux has lots of code, and MacOS has lots of code.. you can find these kinds of issues in any OS.

    --
    If you need web hosting, you could do worse than here
  6. Re:Windows 7 by zAPPzAPP · · Score: 4, Insightful

    Writing new code from scratch will not make that code suddenly bug free.

  7. MS Versus Metasploit by superid · · Score: 4, Interesting

    The video is very interesting, but one thing really does annoy me. He talks about discovering the initial vuln and how they were able to understand it literally within minutes (around slide 15/16) and they realized how serious it was (100% successful loading of a DLL from a WebDAV path via LoadLib because control panel icons are handled in a different (broken) way).

    Hey says that the vuln existed for years and that a 7 year old could exploit it because it was included in Metasploit (slide 16). He clearly indicated that Metasploit knew about this before MS and that they were tipped off by 1 or 2 other 3rd party malware researchers who sent in "just another LNK exploit" that they happened to bother to look at. He even said "it's a good thing we did [look at it]".

    So this tells me that MS does NOT bother to review Metasploit scripts to get a leg up on zero days..... that surprised and annoys me.

  8. Linking DLL's from the net. Nice! by sgt+scrub · · Score: 4, Interesting

    In the video at 11:16'ish he says, "it is loading the dll from the net". Essentially Windows allows an attacker to build executables from library sources, disguised as icon containers, located anywhere on the net. Priceless!

    --
    Having to work for a living is the root of all evil.
  9. Re:Linking DLL's from the net. Nice! by complete+loony · · Score: 4, Informative

    Reminds me of this hack; 133 byte PE executable with remote code loading.

    --
    09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.