Your SlideShare is downloading. ×
BSides Algiers - Stuxnet - Sofiane Talmat
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

BSides Algiers - Stuxnet - Sofiane Talmat

650
views

Published on

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
650
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. L’industrie du Malware (Part II) : STUXNET Présentée par : Sofiane Talmat Malware research team : Sofiane Talmat (Algeria) Ehab Hussein (Egypt)http://www.synapse-labs.com info@synapse-labs.com
  • 2. Security Corporate Services Services Solution Trainings Developmenthttp://www.synapse-labs.com info@synapse-labs.com
  • 3. FACT 1 : ~WTR4132.TMPhttp://www.synapse-labs.com info@synapse-labs.com
  • 4. FACT 2 : ~WTR4132.TMPhttp://www.synapse-labs.com info@synapse-labs.com
  • 5. FACT 3 : MRXCLS.syshttp://www.synapse-labs.com info@synapse-labs.com
  • 6. FACT 4 : MRXCLS.syshttp://www.synapse-labs.com info@synapse-labs.com
  • 7. FACT 5 : MRXNET.syshttp://www.synapse-labs.com info@synapse-labs.com
  • 8. FACT 6 : MRXNET.syshttp://www.synapse-labs.com info@synapse-labs.com
  • 9. Lifecyclehttp://www.synapse-labs.com info@synapse-labs.com
  • 10. PRIVILEGE ESCALATION- MS-10-073 –Win32K.sys Keyboard Layout Vulnerability- MS-10-092 –Windows Task Scheduler Vulnerabilityhttp://www.synapse-labs.com info@synapse-labs.com
  • 11. http://www.synapse-labs.com info@synapse-labs.com
  • 12. http://www.synapse-labs.com info@synapse-labs.com
  • 13. http://www.synapse-labs.com info@synapse-labs.com
  • 14. http://www.synapse-labs.com info@synapse-labs.com
  • 15. ESP ==> > 0006F4F8 |ModuleFileName = "C:WINDOWSsystem32lsass.exe"ESP+4 > 00000000 |CommandLine = NULLESP+8 > 00000000 |pProcessSecurity = NULLESP+C > 00000000 |pThreadSecurity = NULLESP+10 > 00000001 |InheritHandles = TRUEESP+14 > 0800000C |CreationFlags = CREATE_SUSPENDED|DETACHED_PROCESS|CREATE_NO_WINDOWESP+18 > 00000000 |pEnvironment = NULLESP+1C > 00000000 |CurrentDir = NULLESP+20 > 0006F13C |pStartupInfo = 0006F13CESP+24 > 0006F730 pProcessInfo = 0006F730.http://www.synapse-labs.com info@synapse-labs.com
  • 16. http://www.synapse-labs.com info@synapse-labs.com
  • 17. http://www.synapse-labs.com info@synapse-labs.com
  • 18. http://www.synapse-labs.com info@synapse-labs.com
  • 19. • stuxnet: referenceshttp://www.symantec.com/content/en/us/enterprise/media/sec urity_response/whitepapers/w32_stuxnet_dossier.pdfhttp://go.eset.com/us/resources/white- papers/Stuxnet_Under_the_Microscope.pdfhttp://www.synapse-labs.com info@synapse-labs.com
  • 20. Questions Facebook.com/Synapse.Labs Twitter : @Synapse_Labshttp://www.synapse-labs.com info@synapse-labs.com