W32.Stuxnet dossier

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

W32.Stuxnet dossier
Botnet Stuxnet
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2011 / 2011-04
Editor/Conference Symantec
Link https://www.symantec.com/content/en/us/enterprise/media/security response/whitepapers/w32 stuxnet dossier.pdf (Archive copy)
Author Nicolas Falliere, Liam O Murchu, Eric Chien
Type Tech report


W32.Stuxnet has gained a lot of attention from researchers and media recently. There is good reason for this. Stuxnet is one of the most complex threats we have analyzed. In this paper we take a detailed look at Stuxnet and its various components and particularly focus on the final goal of Stuxnet, which is to reprogram industrial control systems. Stuxnet is a large, complex piece of malware with many different components and functionalities. We have already covered some of these components in our blog series on the topic.

While some of the information from those blogs is included here, this paper is a more comprehensive and in-depth look at the threat. Stuxnet is a threat that was primarily written to target an industrial control system or set of similar systems. Industrial control systems are used in gas pipelines and power plants. Its final goal is to reprogram industrial control systems (ICS) by modifying code on programmable logic controllers (PLCs) to make them work in a manner the attacker intended and to hide those changes from the operator of the equipment.

In order to achieve this goal the creators amassed a vast array of components to increase their chances of success. This includes zero-day exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion techniques, complex process injection and hooking code, network infection routines, peer-to-peer updates, and a command and control interface. We take a look at each of the different components of Stuxnet to understand how the threat works in detail while keeping in mind that the ultimate goal of the threat is the most interesting and relevant part of the threat.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR2281,
   editor = {Symantec},
   author = {Nicolas Falliere, Liam O Murchu, Eric Chien},
   title = {W32.Stuxnet dossier},
   date = {01},
   month = Apr,
   year = {2011},
   howpublished = {\url{https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf}},