Академический Документы
Профессиональный Документы
Культура Документы
cc
c
cc
cc
ccc
We have been made aware of a recent blog posting pointing to the fact that the print spooler
vulnerability used by W32.Stuxnet and addressed in the Microsoft Windows Print Spooler Service
Remote Code Execution Vulnerability was in fact known about since 2009. An article was published in a
security magazine that showed how the vulnerability worked in late 2009. We are currently investigating
this; however, from our initial review of that article it appears to do exactly what Stuxnet does when
exploiting the Print Spooler vulnerability͙
~Symantec.com blogs
cc
c
The Stuxnet virus had Remote Procedure Call (PRC) functionality that exploited the ͞zero-day͟ .lnk file
vulnerability. This enabled Server Client and Peer to Peer (P2P) communications and remote code
execution, among other things. Reminiscent of the agent.btz incidents of 2008-9, the stuxnet worm
utilized a Server-Client protocol to facilitate information exchange and command. By default,
W32.Stuxnet always sends the IP address, name of the computer, and name of the workgroup or
domain infected computers were a part of to the command-and-control server.
Coinciding with the disappearance of these control servers, Symantec analysis is showing the emergence
of a P2P component being added to the stuxnet code base. The highlighted functionality in this category
represented:
Server Functions
Client Functions
Ö c
c
c
!
c
" c
#$%
&
'
Therefore, Even in the absence of an available control server, this virus is capable of updating and
modifying its behavior through networks of Stuxnet infected computers.
p
The Print Spooler Vulnerability, in tandem with existing elevation of privileges, then permits additional
LAN based propagation. The ͞attacking͟ entity simply sends a print request via RPC. The client under
attack may permit this request which then saves the information into the ͞SYSTEM32͟ folder; a folder
with elevated privilege and write protection. Once the code is saved here, it is ran remotely... This
vulnerability, popularly referred to as a ͞Zero-Day͟ vulnerability, has been known about since 2009:
Patched with MS10-061.
http://www.wired.com/dangerroom/tag/operation-buckshot-yankee
http://articles.latimes.com/2008/nov/28/nation/na-cyberattack28
propogate x3