ESET Threat Blog
David Harley

Yet more on Win32/Stuxnet

by David Harley Senior Research Fellow
July 19, 2010 at 11:12 am

Our colleagues in Bratislava have issued a press release which focuses on the clustering of reports from the US and Iran, and also quotes Randy Abrams, whose follow-up blog also discusses the SCADA-related malware issue at length.

The Internet Storm Center has, unusually, raised its Infocon level to yellow in order to raise awareness of the issue and “preempt a major issue resulting from its exploitation.

Softpedia and Computerworld are among sites noting the publication of exploit code using the .LNK vulnerability.

Our colleagues in Spain have also published a blog that makes a couple of points worth reiterating.

  • Use an antivirus product capable of detecting these threats. Of course, you’d expect us to say something like this since anti-malware is what we sell, but the fact is that at this moment AV detection may be a better solution for the currently known threats than the workarounds suggested by Microsoft in their advisory. Note, however, that there are indications that those responsible for the initial attacks are already taking measures to vary the attack. (More about that later.)
  • If you’re using XP SP2, it’s quite possible that there will be no patch from Microsoft that will help you when they are ready to patch. Of course, the same applies to Windows 2000 users, only more so. At least SP2 users should be able to get respite by upgrading to SP3.

David Harley CITP FBCS CISSP
Senior Research Fellow

.

This entry was posted on Monday, July 19th, 2010 at 11:12 am and is filed under David Harley, Win32/Stuxnet. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

4 Responses to “Yet more on Win32/Stuxnet”

  1. Kolor Says:
    July 19th, 2010 at 1:27 pm

    Eset Security does not have shell extension for on demand scan of .LNK files, is this likely to change now?

  2. Randy Abrams Says:
    July 19th, 2010 at 4:19 pm

    I'm not sure what you mean. You can right click on any file and scan it.
    Randy Abrams

  3. Kolor Says:
    July 20th, 2010 at 9:18 am

    Tried with the PoC with the following results:

    http://img69.imageshack.us/img69/7097/eset.png

    Maybe I'm missing something?!

  4. Randy Abrams Says:
    July 23rd, 2010 at 2:07 pm

    Yes, there was a short time we had to pull the generic detection to fix a problem. it was then put back into the updates and you will find the PoC is detected as are some new .lnk files we are beginning to see used for malware.

Leave a Reply

Share |
Subscribe by Email
To receive new posts automatically through email, enter your email address:

Delivered by FeedBurner

Blog Search
Categories
Authors
Tags
Adobe autorun Botnet Conficker Cybercrime Facebook google Malware Microsoft patch Phishing privacy SC Magazine Security Social Engineering Spam Stuxnet The Register Twitter Virus Bulletin
Archives

Switch to our mobile site