Same Platform Made Stuxnet, Duqu; Others Lurk 89
wiredmikey writes "New research from Kaspersky Labs has revealed that the platform dubbed 'tilded' (~d), which was used to develop Stuxnet and Duqu, has been around for years. The researchers say that same platform has been used to create similar Trojans which have yet to be discovered. Alexander Gostev and Igor Sumenkov have put together some interesting research, the key point being that the person(s) behind what the world knows as Stuxnet and Duqu have actually been using the same development platform for several years." An anonymous reader adds a link to this "surprisingly entertaining presentation" (video) by a Microsoft engineer, in which "he tells the story of how he and others analysed the exploits used by Stuxnet. Also surprising are the simplicity of the exploits which were still present in Win7." See also the report at Secureist from which the SecurityWeek story draws.
Re:Linking DLL's from the net. Nice! (Score:5, Informative)
Re:Linking DLL's from the net. Nice! (Score:2, Informative)
In the video at 11:16'ish he says, "it is loading the dll from the net". Essentially Windows allows an attacker to build executables from library sources, disguised as icon containers, located anywhere on the net. Priceless!
What exactly is that second sentence trying to say? I can't parse that. Libraries always contained executable code, hell: rundll32.exe mydll.dll,SomeFunctionInTheDll will cause the DLL to be loaded and run SomeFunctionInTheDll as the int main().
What he said is that Control Panel Applets have a feature called "Dynamic Icons", that is, the icon can change or even be entirely drawn by code instead of stored in the program (So the icon for the Windows Firewall can change so the brick wall disappears when the firewall is disabled or something like that) but to do that requires actually running native machine code outside of a sandbox (which is frickin' stupid). He then went on to say that Windows didn't give a crap about the path where the CPL was stored, it could be C:\applet.cpl, A:\applet.cpl, \\someothercomputer\someshare\applet.cpl or a WebDAV folder on a website (which is only slightly worse than the fact that it already worked with network shares anyway).
Windows XP fixed the DLL which contains icons causing code to run problem in XP/2000 when they added LoadLibraryEx with the DONT_RESOLVE_DLL_REFERENCES and LOAD_LIBRARY_AS_DATAFILE flags. The problem is limited to CPLs which (Dynamic Icons) physically can't be loaded that way.