SYMBOLCOMMON_NAMEaka. SYNONYMS
win.stuxnet (Back to overview)

Stuxnet


There is no description at this point.

References
2020-06-17Der SpiegelPatrick Beuth
@online{beuth:20200617:die:4272009, author = {Patrick Beuth}, title = {{Die erste Cyberwaffe und ihre Folgen}}, date = {2020-06-17}, organization = {Der Spiegel}, url = {https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147}, language = {German}, urldate = {2020-06-18} } Die erste Cyberwaffe und ihre Folgen
Stuxnet
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-09-02Yahoo NewsKim Zetter, Huib Modderkolk
@online{zetter:20190902:revealed:d33539b, author = {Kim Zetter and Huib Modderkolk}, title = {{Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran}}, date = {2019-09-02}, organization = {Yahoo News}, url = {https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html}, language = {English}, urldate = {2020-01-07} } Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran
Stuxnet
2019-04-09Chronicle SecurityJuan Andrés Guerrero-Saade, Silas Cutler
@techreport{guerrerosaade:20190409:oldest:062ea25, author = {Juan Andrés Guerrero-Saade and Silas Cutler}, title = {{The Oldest Stuxnet Component Dials Up}}, date = {2019-04-09}, institution = {Chronicle Security}, url = {https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf}, language = {English}, urldate = {2019-12-04} } The Oldest Stuxnet Component Dials Up
FlowerShop Stuxnet
2018-03CrySyS LabBoldizsar Bencsath
@techreport{bencsath:201803:territorial:04343bb, author = {Boldizsar Bencsath}, title = {{Territorial Dispute – NSA’s perspective on APT landscape}}, date = {2018-03}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf}, language = {English}, urldate = {2020-05-07} } Territorial Dispute – NSA’s perspective on APT landscape
9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos
2017-04-13A blog about rootkits research and the Windows kernelArtem Baranov
@online{baranov:20170413:stuxnet:c221f57, author = {Artem Baranov}, title = {{Stuxnet drivers: detailed analysis}}, date = {2017-04-13}, organization = {A blog about rootkits research and the Windows kernel}, url = {http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html}, language = {English}, urldate = {2020-01-08} } Stuxnet drivers: detailed analysis
Stuxnet
2016-09-07Virus BulletinBrian Bartholomew, Juan Andrés Guerrero-Saade
@techreport{bartholomew:20160907:wave:96e9f50, author = {Brian Bartholomew and Juan Andrés Guerrero-Saade}, title = {{Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks}}, date = {2016-09-07}, institution = {Virus Bulletin}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf}, language = {English}, urldate = {2020-03-13} } Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks
DuQu JripBot Sinowal Stuxnet Wipbot
2011-01-03ESET ResearchAleksandr Matrosov, Eugene Rodionov, David Harley, Juraj Malcho
@techreport{matrosov:20110103:stuxnet:420d733, author = {Aleksandr Matrosov and Eugene Rodionov and David Harley and Juraj Malcho}, title = {{Stuxnet Under the Microscope}}, date = {2011-01-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf}, language = {English}, urldate = {2019-12-20} } Stuxnet Under the Microscope
Stuxnet
Yara Rules
[TLP:WHITE] win_stuxnet_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_stuxnet_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c745fc05000000 8b7e10 8d5fd4 57 57 53 e8???????? }
            // n = 7, score = 200
            //   c745fc05000000       | mov                 dword ptr [ebp - 4], 5
            //   8b7e10               | mov                 edi, dword ptr [esi + 0x10]
            //   8d5fd4               | lea                 ebx, [edi - 0x2c]
            //   57                   | push                edi
            //   57                   | push                edi
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_1 = { c700???????? 8b5108 895008 8b510c 56 89500c 57 }
            // n = 7, score = 200
            //   c700????????         |                     
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]
            //   895008               | mov                 dword ptr [eax + 8], edx
            //   8b510c               | mov                 edx, dword ptr [ecx + 0xc]
            //   56                   | push                esi
            //   89500c               | mov                 dword ptr [eax + 0xc], edx
            //   57                   | push                edi

        $sequence_2 = { b8???????? e9???????? e9???????? 8b4508 e9???????? ff7508 e8???????? }
            // n = 7, score = 200
            //   b8????????           |                     
            //   e9????????           |                     
            //   e9????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   e9????????           |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     

        $sequence_3 = { e8???????? c3 8d45dc 50 e8???????? c3 8d4dbc }
            // n = 7, score = 200
            //   e8????????           |                     
            //   c3                   | ret                 
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax
            //   e8????????           |                     
            //   c3                   | ret                 
            //   8d4dbc               | lea                 ecx, [ebp - 0x44]

        $sequence_4 = { ff8000010000 c9 c3 55 8bec 83ec10 56 }
            // n = 7, score = 200
            //   ff8000010000         | inc                 dword ptr [eax + 0x100]
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec10               | sub                 esp, 0x10
            //   56                   | push                esi

        $sequence_5 = { ab 51 c6461801 ff15???????? 834dfcff 8b4df4 5f }
            // n = 7, score = 200
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   51                   | push                ecx
            //   c6461801             | mov                 byte ptr [esi + 0x18], 1
            //   ff15????????         |                     
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   5f                   | pop                 edi

        $sequence_6 = { 56 57 ff742410 8b7c2410 8bf1 e8???????? 84c0 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   8b7c2410             | mov                 edi, dword ptr [esp + 0x10]
            //   8bf1                 | mov                 esi, ecx
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_7 = { 56 57 8b7d08 33c0 8d7704 8807 8906 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   33c0                 | xor                 eax, eax
            //   8d7704               | lea                 esi, [edi + 4]
            //   8807                 | mov                 byte ptr [edi], al
            //   8906                 | mov                 dword ptr [esi], eax

        $sequence_8 = { eb6a 53 6804010000 ff7510 6a00 56 e8???????? }
            // n = 7, score = 200
            //   eb6a                 | jmp                 0x6c
            //   53                   | push                ebx
            //   6804010000           | push                0x104
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   6a00                 | push                0
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_9 = { 7408 8b45fc e9???????? 8b45e8 8945f4 8b45e8 83c024 }
            // n = 7, score = 200
            //   7408                 | je                  0xa
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   e9????????           |                     
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   83c024               | add                 eax, 0x24

    condition:
        7 of them and filesize < 2495488
}
[TLP:WHITE] win_stuxnet_w0   (20190418 | Stuxshop standalone sample configuration)
rule win_stuxnet_w0 {
    meta:
        author = "JAG-S (turla@chronicle.security)"
        hash = "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579"
        description = "Stuxshop standalone sample configuration"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet"
        malpedia_version = "20190418"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $cnc1 = "http://211.24.237.226/index.php?data=" ascii wide
        $cnc2 = "http://todaysfutbol.com/index.php?data=" ascii wide
        $cnc3 = "http://78.111.169.146/index.php?data=" ascii wide
        $cnc4 = "http://mypremierfutbol.com/index.php?data=" ascii wide
        $regkey1  =  "Software\\Microsoft\\Windows\\CurrentVersion\\MS-DOS Emulation" ascii wide
        $regkey2  =  "NTVDMParams" ascii wide
        $flowerOverlap1 = { 85 C0 75 3B 57 FF 75 1C FF 75 18 FF 75 14 50 FF 75 10 FF 75 FC FF 15 }
        $flowerOverlap2 = { 85 C0 75 4C 8B 45 1C 89 45 0C 8D 45 0C 50 8D 45 08 FF 75 18 50 6A 00 FF 75 10 FF 75 20 FF 15 }
        $flowerOverlap3  = { 55 8B EC 53 56 8B 75 20 85 F6 74 03 83 26 00 8D 45 20 5068 19 00 02 00 6A 00 FF 75 0C FF 75 08 }
        $flowerOverlap4  = { 55 8B EC 51 8D 4D FC 33 C0 51 50 6A 26 50 89 45 FC FF 15 }
        $flowerOverlap5  = { 85 DB 74 04 8B C3 EB 1A 8B 45 08 3B 45 14 74 07 B8 5D 06 00 00 EB 0B 85 F6 74 05 8B 45 0C 89 06 }
        $flowerOverlap6  = {   85 FF 74 12 83 7D F8 01 75 0C FF 75 0C FF 75 08 FF 15 }
    condition:
        all of  ($flowerOverlap*) or 2 of ($cnc*) or all of  ($regkey*)
}
[TLP:WHITE] win_stuxnet_w1   (20190418 | No description)
rule win_stuxnet_w1 {
    meta:
        author = "​Silas Cutler (havex@Chronicle.Security)​"
        desc = "​Identifies the OS Check function in STUXSHOP and CheshireCat​"
        hash = "​c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579​"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet"
        malpedia_version = "20190418"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $ = {10 F7 D8 1B C0 83 C0 ?? E9 ?? 01 00 00 39 85 7C FF FF FF 0F 85 ?? 01 00 00 83 BD 70 FF FF FF 04 8B 8D 74 FF FF FF 75 0B 85 C9 0F 85 ?? 01 00 00 6A 05 5E }
        $ = {01 00 00 3B FA 0F 84 ?? 01 00 00 80 7D 80 00 B1 62 74 1D 6A 0D 8D 45 80 68 ?? ?? ?? 10 50 FF 15 ?? ?? ?? 10 83 C4 0C B1 6F 85 C0 75 03 8A 4D 8D 8B C6 }
    condition:
        any of them
}
Download all Yara Rules