SYMBOLCOMMON_NAMEaka. SYNONYMS
win.stuxnet (Back to overview)

Stuxnet


There is no description at this point.

References
2020-07-29Atlantic CouncilTrey Herr, June Lee, William Loomis, Stewart Scott
@techreport{herr:20200729:breaking:d37db04, author = {Trey Herr and June Lee and William Loomis and Stewart Scott}, title = {{BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain}}, date = {2020-07-29}, institution = {Atlantic Council}, url = {https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf}, language = {English}, urldate = {2020-08-05} } BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain
EternalPetya GoldenSpy Kwampirs Stuxnet
2020-06-17Der SpiegelPatrick Beuth
@online{beuth:20200617:die:4272009, author = {Patrick Beuth}, title = {{Die erste Cyberwaffe und ihre Folgen}}, date = {2020-06-17}, organization = {Der Spiegel}, url = {https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147}, language = {German}, urldate = {2020-06-18} } Die erste Cyberwaffe und ihre Folgen
Stuxnet
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-09-02Yahoo NewsKim Zetter, Huib Modderkolk
@online{zetter:20190902:revealed:d33539b, author = {Kim Zetter and Huib Modderkolk}, title = {{Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran}}, date = {2019-09-02}, organization = {Yahoo News}, url = {https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html}, language = {English}, urldate = {2020-01-07} } Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran
Stuxnet
2019-04-09Chronicle SecurityJuan Andrés Guerrero-Saade, Silas Cutler
@techreport{guerrerosaade:20190409:oldest:062ea25, author = {Juan Andrés Guerrero-Saade and Silas Cutler}, title = {{The Oldest Stuxnet Component Dials Up}}, date = {2019-04-09}, institution = {Chronicle Security}, url = {https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf}, language = {English}, urldate = {2019-12-04} } The Oldest Stuxnet Component Dials Up
FlowerShop Stuxnet
2018-03CrySyS LabBoldizsar Bencsath
@techreport{bencsath:201803:territorial:04343bb, author = {Boldizsar Bencsath}, title = {{Territorial Dispute – NSA’s perspective on APT landscape}}, date = {2018-03}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf}, language = {English}, urldate = {2020-05-07} } Territorial Dispute – NSA’s perspective on APT landscape
9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos
2017-04-13A blog about rootkits research and the Windows kernelArtem Baranov
@online{baranov:20170413:stuxnet:c221f57, author = {Artem Baranov}, title = {{Stuxnet drivers: detailed analysis}}, date = {2017-04-13}, organization = {A blog about rootkits research and the Windows kernel}, url = {http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html}, language = {English}, urldate = {2020-01-08} } Stuxnet drivers: detailed analysis
Stuxnet
2016-09-07Virus BulletinBrian Bartholomew, Juan Andrés Guerrero-Saade
@techreport{bartholomew:20160907:wave:96e9f50, author = {Brian Bartholomew and Juan Andrés Guerrero-Saade}, title = {{Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks}}, date = {2016-09-07}, institution = {Virus Bulletin}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf}, language = {English}, urldate = {2020-03-13} } Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks
DuQu JripBot Sinowal Stuxnet Wipbot
2011-01-03ESET ResearchAleksandr Matrosov, Eugene Rodionov, David Harley, Juraj Malcho
@techreport{matrosov:20110103:stuxnet:420d733, author = {Aleksandr Matrosov and Eugene Rodionov and David Harley and Juraj Malcho}, title = {{Stuxnet Under the Microscope}}, date = {2011-01-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf}, language = {English}, urldate = {2019-12-20} } Stuxnet Under the Microscope
Stuxnet
Yara Rules
[TLP:WHITE] win_stuxnet_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_stuxnet_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f8ff 7524 807df300 7486 50 56 8d4580 }
            // n = 7, score = 100
            //   83f8ff               | cmp                 eax, -1
            //   7524                 | jne                 0x26
            //   807df300             | cmp                 byte ptr [ebp - 0xd], 0
            //   7486                 | je                  0xffffff88
            //   50                   | push                eax
            //   56                   | push                esi
            //   8d4580               | lea                 eax, [ebp - 0x80]

        $sequence_1 = { ff7410fc 52 50 51 e8???????? c20800 55 }
            // n = 7, score = 100
            //   ff7410fc             | push                dword ptr [eax + edx - 4]
            //   52                   | push                edx
            //   50                   | push                eax
            //   51                   | push                ecx
            //   e8????????           |                     
            //   c20800               | ret                 8
            //   55                   | push                ebp

        $sequence_2 = { 751c 68???????? 8d45a4 50 c745a801000000 c745a498239600 e8???????? }
            // n = 7, score = 100
            //   751c                 | jne                 0x1e
            //   68????????           |                     
            //   8d45a4               | lea                 eax, [ebp - 0x5c]
            //   50                   | push                eax
            //   c745a801000000       | mov                 dword ptr [ebp - 0x58], 1
            //   c745a498239600       | mov                 dword ptr [ebp - 0x5c], 0x962398
            //   e8????????           |                     

        $sequence_3 = { 7542 6804010000 8d442408 50 56 ff15???????? 6860540010 }
            // n = 7, score = 100
            //   7542                 | jne                 0x44
            //   6804010000           | push                0x104
            //   8d442408             | lea                 eax, [esp + 8]
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     
            //   6860540010           | push                0x10005460

        $sequence_4 = { e8???????? 85ff 5f 5e 5b 7431 c7453c04000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85ff                 | test                edi, edi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   7431                 | je                  0x33
            //   c7453c04000000       | mov                 dword ptr [ebp + 0x3c], 4

        $sequence_5 = { 8d442420 50 8bf1 e8???????? 33ff 897c2444 8d44240f }
            // n = 7, score = 100
            //   8d442420             | lea                 eax, [esp + 0x20]
            //   50                   | push                eax
            //   8bf1                 | mov                 esi, ecx
            //   e8????????           |                     
            //   33ff                 | xor                 edi, edi
            //   897c2444             | mov                 dword ptr [esp + 0x44], edi
            //   8d44240f             | lea                 eax, [esp + 0xf]

        $sequence_6 = { e9???????? 8b45ec 8b4df8 0388a0000000 894dfc 8b45fc 83780400 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   0388a0000000         | add                 ecx, dword ptr [eax + 0xa0]
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83780400             | cmp                 dword ptr [eax + 4], 0

        $sequence_7 = { e8???????? 59 50 8d7e18 57 e8???????? 895dfc }
            // n = 7, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   50                   | push                eax
            //   8d7e18               | lea                 edi, [esi + 0x18]
            //   57                   | push                edi
            //   e8????????           |                     
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx

        $sequence_8 = { e8???????? 8364245400 8d44242c e8???????? 8b5d08 8d44242c 50 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8364245400           | and                 dword ptr [esp + 0x54], 0
            //   8d44242c             | lea                 eax, [esp + 0x2c]
            //   e8????????           |                     
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   8d44242c             | lea                 eax, [esp + 0x2c]
            //   50                   | push                eax

        $sequence_9 = { e8???????? c3 8d4580 50 e8???????? c3 8d4580 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c3                   | ret                 
            //   8d4580               | lea                 eax, [ebp - 0x80]
            //   50                   | push                eax
            //   e8????????           |                     
            //   c3                   | ret                 
            //   8d4580               | lea                 eax, [ebp - 0x80]

    condition:
        7 of them and filesize < 2482176
}
[TLP:WHITE] win_stuxnet_w0   (20190418 | Stuxshop standalone sample configuration)
rule win_stuxnet_w0 {
    meta:
        author = "JAG-S (turla@chronicle.security)"
        hash = "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579"
        description = "Stuxshop standalone sample configuration"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet"
        malpedia_version = "20190418"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $cnc1 = "http://211.24.237.226/index.php?data=" ascii wide
        $cnc2 = "http://todaysfutbol.com/index.php?data=" ascii wide
        $cnc3 = "http://78.111.169.146/index.php?data=" ascii wide
        $cnc4 = "http://mypremierfutbol.com/index.php?data=" ascii wide
        $regkey1  =  "Software\\Microsoft\\Windows\\CurrentVersion\\MS-DOS Emulation" ascii wide
        $regkey2  =  "NTVDMParams" ascii wide
        $flowerOverlap1 = { 85 C0 75 3B 57 FF 75 1C FF 75 18 FF 75 14 50 FF 75 10 FF 75 FC FF 15 }
        $flowerOverlap2 = { 85 C0 75 4C 8B 45 1C 89 45 0C 8D 45 0C 50 8D 45 08 FF 75 18 50 6A 00 FF 75 10 FF 75 20 FF 15 }
        $flowerOverlap3  = { 55 8B EC 53 56 8B 75 20 85 F6 74 03 83 26 00 8D 45 20 5068 19 00 02 00 6A 00 FF 75 0C FF 75 08 }
        $flowerOverlap4  = { 55 8B EC 51 8D 4D FC 33 C0 51 50 6A 26 50 89 45 FC FF 15 }
        $flowerOverlap5  = { 85 DB 74 04 8B C3 EB 1A 8B 45 08 3B 45 14 74 07 B8 5D 06 00 00 EB 0B 85 F6 74 05 8B 45 0C 89 06 }
        $flowerOverlap6  = {   85 FF 74 12 83 7D F8 01 75 0C FF 75 0C FF 75 08 FF 15 }
    condition:
        all of  ($flowerOverlap*) or 2 of ($cnc*) or all of  ($regkey*)
}
[TLP:WHITE] win_stuxnet_w1   (20190418 | No description)
rule win_stuxnet_w1 {
    meta:
        author = "​Silas Cutler (havex@Chronicle.Security)​"
        desc = "​Identifies the OS Check function in STUXSHOP and CheshireCat​"
        hash = "​c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579​"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet"
        malpedia_version = "20190418"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $ = {10 F7 D8 1B C0 83 C0 ?? E9 ?? 01 00 00 39 85 7C FF FF FF 0F 85 ?? 01 00 00 83 BD 70 FF FF FF 04 8B 8D 74 FF FF FF 75 0B 85 C9 0F 85 ?? 01 00 00 6A 05 5E }
        $ = {01 00 00 3B FA 0F 84 ?? 01 00 00 80 7D 80 00 B1 62 74 1D 6A 0D 8D 45 80 68 ?? ?? ?? 10 50 FF 15 ?? ?? ?? 10 83 C4 0C B1 6F 85 C0 75 03 8A 4D 8D 8B C6 }
    condition:
        any of them
}
Download all Yara Rules