bsides algiers - stuxnet - sofiane talmat
DESCRIPTION
TRANSCRIPT
http://www.synapse-labs.com [email protected]
L’industrie du Malware(Part II) : STUXNET
Présentée par : Sofiane Talmat
Malware research team :Sofiane Talmat (Algeria)Ehab Hussein (Egypt)
http://www.synapse-labs.com [email protected]
Solution
Development
Security
Services
Corporate Services
Trainings
http://www.synapse-labs.com [email protected]
FACT 1 : ~WTR4132.TMP
http://www.synapse-labs.com [email protected]
FACT 2 : ~WTR4132.TMP
http://www.synapse-labs.com [email protected]
FACT 3 : MRXCLS.sys
http://www.synapse-labs.com [email protected]
FACT 4 : MRXCLS.sys
http://www.synapse-labs.com [email protected]
FACT 5 : MRXNET.sys
http://www.synapse-labs.com [email protected]
FACT 6 : MRXNET.sys
http://www.synapse-labs.com [email protected]
Lifecycle
http://www.synapse-labs.com [email protected]
PRIVILEGE ESCALATION
- MS-10-073 –Win32K.sys Keyboard Layout Vulnerability
- MS-10-092 –Windows Task Scheduler Vulnerability
http://www.synapse-labs.com [email protected]
http://www.synapse-labs.com [email protected]
http://www.synapse-labs.com [email protected]
http://www.synapse-labs.com [email protected]
http://www.synapse-labs.com [email protected]
ESP ==> > 0006F4F8 |ModuleFileName = "C:\WINDOWS\\system32\\lsass.exe"ESP+4 > 00000000 |CommandLine = NULLESP+8 > 00000000 |pProcessSecurity = NULLESP+C > 00000000 |pThreadSecurity = NULLESP+10 > 00000001 |InheritHandles = TRUEESP+14 > 0800000C |CreationFlags = CREATE_SUSPENDED|DETACHED_PROCESS|
CREATE_NO_WINDOW
ESP+18 > 00000000 |pEnvironment = NULLESP+1C > 00000000 |CurrentDir = NULLESP+20 > 0006F13C |pStartupInfo = 0006F13CESP+24 > 0006F730 \pProcessInfo = 0006F730.
http://www.synapse-labs.com [email protected]
http://www.synapse-labs.com [email protected]
http://www.synapse-labs.com [email protected]
http://www.synapse-labs.com [email protected]
• stuxnet: references
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
http://go.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf
http://www.synapse-labs.com [email protected]
Questions
Facebook.com/Synapse.LabsTwitter : @Synapse_Labs