STUXNET has been the hottest topic for this year because it’s an unusual Worm it is for the first time in the history that a malware bypass the cyberspace to get directly to the physical environment, the virus not only damage the code and data but also it destroy the real machine.
Reversing STUXNET allowed security professionals to discover 4 zero-days in Microsoft windows operating system, and as a result proved that even the industrial systems which are usually isolated not only from public networks, but also on internal enterprise are not 100% safe.
The worm drivers certificate were signed with JMicron Technology and Realtek which makes it bypass HIPS security measures, so if the malware is executed it will not be prevented by HIPS as the signature of the driver related to an authorized firms.
The carnival of vulnerabilities that were exploited by this malware is the following:
1. Microsoft Security Bulletin MS10-046 – Critical
This first bulletin comes to fix vulnerability that allows local users or remote attackers to execute arbitrary code via a crafted .LNK or .PIF shortcut file, which is not properly handled during icon display in Windows Explorer
2. Microsoft Security Bulletin MS10-061
This is remote code execution vulnerability in Windows Print Spooler service that could allow a remote, unauthenticated attacker to execute arbitrary code on an affected Windows system. Files and printer sharing turned on are vulnerable to the attack.
3. Microsoft Security Bulletin MS08-067
STUXNET are also capable of distributing itself over the network through shared folders. It scans network shares c$ and admin$ on the remote computers and installs a file (dropper) there with the name DEFRAG<GetTickCount>.TMP and schedules a task to be executed on the next day to exploit this vulnerability.
4. Microsoft Security Bulletin MS10-073
This security vulnerability solves three publicly disclosed privilege elevation (EoP) vulnerabilities in Windows kernel-mode drivers.
TDL4 is the latest version of a rootkit originally known as TDSS or Tidserv, which appeared back in 2008. However, unlike its predecessors, TDL4 is able to bypass code signing protection in 64-bit versions of Windows Vista and 7. By default these systems do not allow drivers that are not digitally signed to be loaded, but TDL4 manages to get around that by changing boot options before the operating system actually starts.
TDSS is one of the most complex and dangerous malicious programs family in the world and it continues to evolve.
Asprox is a small botnet has been used in password stealing, spam, and phishing attacks. This botnet based attack is innovative. It interfaces with Google’s search engine to locate vulnerable web pages. When a weakness is found, Asprox injects an iFrame based redirectional link on the vulnerable website in order to spread Malware.
4- ZeuS 2.0
ZEUS Botnet is still active in 2010. On July 14, 2010, security firm Trusteer filed a report which says that the credit cards of more than 15 unnamed US banks have been compromised. A recent outbreak is being called Kneber.
On 1 October 2010, FBI announced it had discovered a major international cyber crime network which had used Zeus to hack into US computers and steal around $70m. More than 90 suspected members of the ring were arrested in the US, and arrests were also made in UK and Ukraine.
5- Trojan Proxies
These Malwares may turn victim’s computer into a proxy server. This gives the attacker the opportunity to do everything from your computer, including the possibility of conducting credit card fraud and other illegal activities.
Usually a proxy Trojan installs an email proxy that is used to send large amounts of unsolicited email, i.e. spam, over Internet connection. Recipients tracking the email back to its origin will discover the IP address of the infected system used for the proxy, thereby concealing the identity of the attacker. Or even to use system to launch malicious attacks against other networks.
This is the 2010 Top5 most dangerous Malwares. I would like to wish our readers, fans, followers and subscribers from around the globe a safe and a prosperous New Year may the year 2011 be full of joy and rewards. Happy New Year!
make sure you subscribe to my RSS feed!