Be Careful with Tmphider or Stuxnet.

Wednesday, 21 July 2010


Symantec Security has released the news about the threat of a new rootkit called "Tmphider or Stuxnet." The threat of a recently discovered has been stealing the attention because it uses techniques that have never encountered before and is spread through USB drives.
Analysis of these threats have been made and the Symantec Security will update this blog, with more complete information if necessary.


There are many files associated with this threat. The files are comprised of installers and components rootkoit threat. Both were detected as W32.Temphid. Here are some of the file name components

~ WTR4141.tmp
~ WTR4132.tmp
Mrxcls.sys
Mrxnet.sys
Moreover, these threats creates shortcut files / related links within the system. Here are some examples:

Copy of Shortcut to.Ink
Copy of Copy of Shortcut to.lnk
Copy of Copy of Copy of Shortcut to.lnk
Copy of Copy of Copy of Copy of Shortcut to.lnk

Although Symantec Security analysis still continues and to see that so many PCs in Southeast Asia which became the target of this threat, the following is a detailed information about the countries targeted by the threat:
Category "Others" is a list of 50 more countries, but the chance of emergence of this threat is very small.





















These threats exploit vulnerabilities that have not been encountered previously and transmitted using a drive that can be removable. This vulnerability has been confirmed by Microsoft that has released security advisory for this issue.
Data in the field showed some version of Windows is the target of this malicious file attacks. However, not all the versions that have exploited this vulnerability to be used for an attack.
These threats have rootkit components that are used to hide the two types of files:

All files that end with '. Ink'
All files that begin with '~ WTR' and ends with '. Tmp'.
The threat has user mode and kernel rootkits. The files '. Sys' mentioned above is used in kernel mode. The files '. Tmp' is used to hide files via user mode.
This means, when an infected system, you will not be able to see the files copied to the USB drive because the files are hidden by the rootkit. However, Symantec products still will detect these files.

Link files mentioned above are part of the exploits and used to enter and then ~ ~ WTR4141.tmp WTR4132.tmp. These threats have a variety of functions. Symantec's analysis of these functions are now still in progress; even so, Symantec can confirm that today the threat is using some DLLs from Siemens for its 'Step 7' to access the system 'SCADA'. The threat was determined using the username and password have been set up to connect to the database associated with the SCADA system in order to obtain the file and run various queries to gather information. The threats were also collect other information relating to the configuration of servers and network.

Symantec Security has released a set of signatures designed to detect the files. Lnk used in this attack. These files will be detected as W32.Temphid from the definition of Rapid Release on July 16, 2010 revision 035 and thereafter.

Does disabling Autoplay will protect against this threat?
Unfortunately not. This worm exploits a newly discovered vulnerabilities and have not patched and it works just like Windows Explorer to handle the files. Lnk. This feature has no relation with that of disabling Autoplay Autoplay will not help prevent worm infections in this attack. In general, disabling AutoPlay is a good idea.

0 komentar:

Post a Comment