Nearly all antivirus companies put Stuxnet as a future threat that could trigger war cyberspace. How not, the virus has the ability to infiltrate the machine industry and potentially disrupt critical facilities that dikenadalikan creators of history away. The last case is Stuxnet attacks into Iran's nuclear facilities.
However, in addition to security through artificial Siemens SCADA-based platforms commonly used in industrial machines, Stuxnet also reportedly attacked Windows-based computers. Company security solutions from Indonesia, Vaksincom, noting Stuxnet attack to a personal computer running Windows Vista and Windows 7.
The attack causes the computer to be not functioning normally and that certainly would disrupt the activities of its users. Not to mention, if malware (malicious software) or malicious software is to mess up important data or steal information from your computer. Now, before sorry for being late to recognize this malware infection, know the signs.
Virus Symptoms & Effects
Some symptoms that occur if your computer is infected Stuxnet namely:
1. Install new drivers (drivers replace old) When Worm Stuxnet already infected, the worm will attempt to remove the drive from Realtek or JMicron and replacing it with a new driver version Stuxnet worm. Stuxnet 2 files to install the driver using a virus that is: MRXCLS.SYS and MRXNET.SYS.
2. Deadly Worm inject Share Print activity spoolsv files, so the activity of the print (print data) to a standstill. Computers that are infected will not be able to print. Instead of printing these activity the worm makes two files:
- C:-WINDOWS-system32-winsta.exe (worm main file Stuxnet) - C:-WINDOWS-system32-WBEM-mof-sysnullevnt.mof
3. Low Disk Space As a result of forced activity that continues to print, create a file Winsta will continue to swell, making your hard disk space becomes exhausted and will certainly get a Low Disk Space warning of a Windows system.
4. Can not store data or run certain programs. Due to the increase in size Winsta files and make your disk space is reduced, causing you can not store the data. In addition, the program / application can not run because it requires that the cache (storage space) which are all consumed by the swollen Winsta file.
5. Creating computer hangs / slow and even network connections become disconnected. Windows system files that would be targeted by injection worm Stuxnet namely:
- C:-WINDOWS-system32-svchost.exe (file system associated with the network connection, by injecting will make the network disconnected) - C:-WINDOWS-system32-lsass.exe (file system associated with computer activity, by injecting will make the computer hangs / slow).
6. Connect to Remote Server Worm Stuxnet connect to the Remote Server to perform the necessary delivery information on the Remote Server. Remote Servers are used, namely:
- Www.premierfutbol.com - www.todaysfutbol.com
7. Creating a Scheduled Task files the same way done by Conficker, worms Stuxnet also create a scheduled task for the file can be active and infect a computer.
File Worm Stuxnet
When the worm Stuxnet executed, the worm will inject some Windows system files are:
- C:-WINDOWS-system32-lsass.exe
- C:-WINDOWS-system32-svchost.exe
- C:-WINDOWS-system32-spoolsv.exe
It also made 2 driver files are:
- C:-WINDOWS-system32-driver-mrxcls.sys
- C:-WINDOWS-system32-driver-mrxnet.sys
And some configuration files are:
- C:-WINDOWS-inf-oem6c.pnf
- C:-WINDOWS-inf-oem7a.pnf
- C:-WINDOWS-inf-mdmeric3.pnf
- C:-WINDOWS-inf-mdmcpq3.pnf
As well as 2 other files are:
- C: WINDOWS-system32-or-KERNEL32.DLL.ASR.xxx SHELL32.DLL.ASR.xxx
- C:-add-ins-defrag [angka_acak]. TMP
Also create a file schedule task, namely:
- C:-WINDOWS-Tasks-At1.job
When infected files spoolsv.exe, the worm makes two files back, namely:
- C:-WINDOWS-system32-winsta.exe (this is if the active file will increasingly expand / swell in size)
- C:-WINDOWS-system32-WBEM-mof-sysnullevnt.mof
Also on removable disks / drives will create several files:
- Autorun.inf
- Copy of Shortcut.lnk
- Copy of Copy of Shortcut.lnk
- Copy of Copy of Copy of Shortcut.lnk
- Copy of Copy of Copy of Copy of Shortcut.lnk
- ~ WTR [angka_acak]. Tmp
- ~ WTR [angka_acak]. Tmp
Registry Modifications
Some registry modifications made by the worm Stuxnet are as follows:
- Adding Registry
HKEY_LOCAL_MACHINE-SYSTEM-CurrentControlSet-Services-MRxCls HKEY_LOCAL_MACHINE-SYSTEM-CurrentControlSet-Services-MrxNet HKEY_LOCAL_MACHINE-System-ControlSet001-Services-MrxNet HKEY_LOCAL_MACHINE-System-ControlSet001-Services-MRxCls HKEY_LOCAL_MACHINE-SYSTEM-CurrentControlSet-Enum-Root-LEGACY_MRX HKEY_LOCAL_MACHINE-SYSTEM -CurrentControlSet-Enum-Root-LEGACY_MRXNET HKEY_LOCAL_MACHINE-System-ControlSet001-Enum-Root-LEGACY_MRXCLS HKEY_LOCAL_MACHINE-System-ControlSet001-Enum-Root-LEGACY_MRXNET
Distribution Method
Some ways to spread the worm Stuxnet as follows:
- Removable drive / disk This method is commonly done by computer users. Worm (using crack autoplay) create some files to infect a computer that is:
1. Autorun.inf
2. Copy of Shortcut.lnk
3. Copy of Copy of Shortcut.lnk
4. Copy of Copy of Copy of Shortcut.lnk
5. Copy of Copy of Copy of Copy of Shortcut.lnk
6. ~ WTR [angka_acak]. Tmp
7. ~ WTR [angka_acak]. Tmp
In addition, by exploiting vulnerabilities MS10-046 (Windows Icon handler) then the shortcut file / LNK will immediately be executed when the drive is accessed.
- The network method is to exploit security holes than Windows systems, namely:
1. MS08-067 (Windows Server Service), as it was Conficker exploit this vulnerability by making access to C $ and ADMIN $
2. MS10-061 (Windows Print Spooler), using printer sharing worm infects computer users who attempt access to the printer server. (Vaksincom)
Recognize Signs Your Computer Infected Stuxnet
7:00 PM
Technology And Information
0 comments:
Post a Comment