Stuxnet exploits a vulnerability in Windows that allows the spreading of the worm without file execution. A successful exploitation of the system installs two rootkits and a backdoor on the system.

Some antivirus solutions are not able to detect Stuxnet, or variants of the worm. Users who want to make sure that their system is not infected by the worm, and users who have recover an infected system, may want to download BitDefender’s Stuxnet Removal tool.

The free program detects and removes all known Stuxnet variants.

BitDefender has added generic detection covering all variants of Stuxnet as of July 19, thus protecting its customers since day zero. Computer users that are not running a BitDefender security solution can now eliminate Stuxnet from the infected systems by running the attached removal tool. The tool can be run on both 32- and 64-bit installations and will eliminate both the rootkit drivers and the worm.

The portable program will perform an automatic scan on startup, and offers manual scanning options in the program options as well.

A system infected by Stuxnet will be restored by removing the two rootkits after the scan, and the worm after a necessary restart of the computer system.

The Stuxnet Removal Tool is compatible with 32-bit and 64-bit editions of the Windows operating system. It can be downloaded directly from Malware City, BitDefender’s community site. (via JKWebTalks)

In the first example of malware of this type the worm was programmed to attack power stations, water plants and industrial units.

A report by the BBC has said that the sheer complexity of the worm means it could only have been written by another “nation state” and so would make it the first real-world example of what most people would expect cyber-terrorism to look like.

Liam O’Murchu from security firm Symantec told the BBC “The fact that we see so many more infections in Iran than anywhere else in the world makes us think this threat was targeted at Iran and that there was something in Iran that was of very, very high value to whomever wrote it.”

Some people have speculated the worm could have been written to specifically target Iran’s nuclear facilities, though there is not enough evidence to draw any conclusions about what its intended target was or who wrote it.

Stuxnet was first detected in June by a security firm in Belarus who discovered it was trying to infect systems that, for security reasons, are not normally connected to the Internet.  It was coded to seek out a specific configuration of industrial control software made by European electronics giant Siemens.

Once the systems were hijacked, the worm would give the systems new instructions that could have seen them overheat as monitoring was shut down, or that could have seen the systems shut down altogether.

Either way this is clearly a very specific type of attack and no party has come forward to claim responsibility for it.

The code has beens spread by worms and thousands of people around the world have been caught out.  The self-replicating worm exploited a cross scripting (XSS) vulnerability and used just a small amount of Javascript to automatically direct Twitter website users to another website.

The vulnerability appeared to users as a coloured block that users only had to mouse-over to activate.

It only affected people directly using the website Twitter.com and not other third-party software such as TweetDeck or applications on smartphones.

The worm was initially created by Magnus Holm who “”simply wanted to exploit the hole without doing any ‘real’ harm” according to BBC News.  “It started off as ‘ha, no way this is going to work’.”  The flaw was later identified by others however after he used it and was then used for more unwanted purposes.

Mr Holm said he’d seen the worm passed around in at least 200,000 tweets.

In April 2009 Twitter suffered another attack that spread links to a rival website.  Twitter security chief Bob Lord said today This issue is now resolved. We apologise to those who may have encountered it.”

Some variants of the worm contain a link to a PDF document, this PDF contains malware that opens access to the users’ email address book.  It’s becoming increasingly common for Adobe’s file formats to be used for viruses and malware since increased security in newer versions of Microsoft Windows have made it a much harder target.

The worm will immediately spread by sending a copy of itself to everyone in the users’ address book.  It will also attempt to remove or disable any security software on the PC so that it can remain undetected.  Finally it will look for open network links to other computers and attempt to auto-run itself on those machines.

The worm isn’t widespread but so far some major corporations have been hit including NASA, Disney and the insurance giant AIG.

Security firm Kaspersky said the new worm has similarities to the now infamous I Love You bug  of ten years ago.  “The difference with those earlier attacks is that the e-mails typically carried the malicious file itself and didn’t rely on a link to a downloading site…But the technique used to entice users to click on the attachment or malicious link is the same: offer the user something he wants to see.”

As always our advice is to virus check any attachment before you open it, if you even need to open it at all.

First iPhone Worm Rickrolls Jailbroken iPhones

This has been the main worry about everything Mac, They do not have viruses now, true but as they start to get more popular they will attract the attention of malware creators. So in that vein of paranoia, we have news of the first ever worm for the iPhone.

You can cut out the screaming and the deep breathing exercises because it is a) completely harmless and b) only effective on jailbroken iPhones. It does things like change the wallpaper and rickrolling users, so it is not exactly destroying your iPhone yet. A worm on a jailbroken phone is a worm on a device that has already been tampered with. So you can wait for the first ever worm on legit iPhones before you hit the panic button. [read]

Complete Car Control Via iPhone

Okay, this is certifiably crazy. In fact, we should probably start a ‘gHacks Certifiably Nuts’ award just for these fellas. But I must admit that what they are is doing is pretty cool. We know that the iPhone can already be used to start your car remotely but fully driving with the iPhone kinda takes the cake.

So what you do is you take some electronic control circuits, hook them up to control your steering, acceleration and brakes and then control them wirelessly. If you want a less vague and more accurate description, check out the videos. It is quite nicely done and I especially love the fact that they are using the accelerometer to control the steering.

The result is pretty 007-ish — that you can drive your car through your iPhone. Look M(a), no hands! [read]

HD Radio Comes To The iPhone Via Gigaware

Now that the Zune HD is out, your least favorite co-worker who loves to make fun of your liking for Apple has probably been going on and on about how his Zune HD does HD radio and your iPod Touch does not. Setting aside the all important the question of how many good HD radio stations are there near you, you can now get back at him saying “there’s an app for that!”

But that would be kinda half true because even though iBiquity has made an app that plays HD radio on your iPhone, you still have to get an additional hardware for accomplishing the feat. The device is called Gigaware Navigation Controller and is essentially an HD tuner with iPhone integration. It allows you to seek and auto tune as well. Plus there is Facebook tagging and iTunes tagging.

Works with the latest iPhone and the iPod Touch. Available on RadioShack. [read]

Sparkz Projector For Your iPhone

Do you want to spend a lot of money on a pico projector that will work with your iPhone/ iPod Touch/iPod Video? If you do, you can now have the Sparkz dock that lets you connect any of those devices and more to it so that you can project your favorites onto a nearby screen. It will support a/v and VGA inputs too.

Other than this extended support for inputs, it has a resolution of 640×480, stereo speakers and a 60-inch viewing area. It charges your docked device while it is projecting and it comes with its own tripod. The price so much goodness? A mere $495. Hey, I did say a lot of money. [read]

Conficker C will initiate a number of processes on infected host systems including opening a random port which is being used in the distribution process of the worm. The worm will then patch the security hole on the computer system that allowed it to attack the system in first place. This prevents other viruses from exploiting the vulnerability while keeping a backdoor open for newer variants of the Conficker worm. The worm will block certain strings from being accessed on the Internet. Domain names making use of those strings cannot be accessed unless the IP is used to do so. Among the strings are various security companies like microsoft, panda or symantec but also generic strings like defender, conficker or anti-. This is to prevent users from accessing websites that contain information and removal instructions about the worm.

While this is surely a nuisance for the user it does mean that the worm itself is not harming the user system in any way other than the methods described above. The real danger comes from the updating mechanism of Conficker C. The worm will try to retrieve new instructions on April 1, 2009. A very sophisticated updating mechanism has been implemented by the author. The worm will generate a list of 50K domain names and append a list of 116 top level domains to them. It will then select 500 randomly from the list and try to connect to them. If new instructions are found on one of the urls it will download them and execute them on the computer system. This process will be repeated every 24 hours.

The easiest way of detection is by accessing a site like microsoft.com or symantec.com and comparing the results with accessing the site using the IP addresses (207.46.197.32 and 206.204.52.31). While this usually gives a good indication it is better to check the computer system with tools that have been specifically designed to detect and remove the Conficker variants.

A few tools that can be used to detect and remove Conficker variants are ESET Conficker Removal Tool, Downadup from F-Secure or KidoKiller by Kaspersky.

Excellent information about Conficker detection and removal instructions are available at Sans.org.

‘Youtube is banned you fool, The administrators didn’t write this program guess who did?? MUHAHAHA!!’

I couldn’t for the life of me figure out how this had happened so I decided to search and see if this problem had cropped up somewhere else. Turns out, it’s pretty common. These messages are courtesy of the W32.USB worm. This worm copies itself to removable drives as Microsoft Power Point.exe and will infect your PC when you connect the infected drive to it. The infection is via a hidden Autorun.inf file.

Luckily, it’s fairly easy to get your browsers back to normal. Just follow the following steps.

1. Right click the system tray and select the ‘Task Manager’ or just hit ‘Ctrl+Alt+Del’. Once the task manager is open, navigate to the ‘Processes’ tab.
2. Under the ‘Image name’ column, look for all entries marked ‘svchost.exe’, which are running under your USERNAME ONLY (not system, local or anything else). Terminate these processes by hitting the ‘End Process’ button. Close the task manager.
3. The next step is to delete the files itself. Open ‘My Computer’ and type ‘C:\heap41a’, then hit Enter. The folder will have the files ‘svchost.exe, script1.txt, standard.txt, reproduce.txt, and an audio file.’ Delete all the files in the folder and then delete the heap41a folder itself.
4. Now we have to delete the registry entry as well. Go to ‘Start –> Run’ and type ‘regedit’. Once the registry opens, on the menu bar, go to ‘Edit –> Find’ and type ‘heap41a’. After searching, you should have some entries with ‘heap41a’ in them. Delete all these entries.
5. Your PC is free of the worm.

However, you also need to get rid of the worm from the USB drive, lest it infect your computer again. Connect your drive to the computer’s USB port (disable the drive from auto playing) and delete all entries marked with ‘autorun’. They may sometimes be in a separate folder. Once these entries are gone, your USB drive is clean as well.

The interesting part is the analysis of the mail. He dissects every part of the message and of course takes a look at the email header as well. The analysis ends with an advice (which he puts at the beginning of his essay) which should be common sense nowadays.

1. You need effective technology to protect you from the many unscrupulous people out there on the Internet who want to damage your systems, scam you or generally subvert your computing resources for their own ends.

2. Security via technology alone is not sufficient to combat the cyber criminals who are out to get you, your business, and your computers. You need to be aware of what is going on around you and take control of the situation before you are compromised. Just as Ignorance of the law is no excuse, ignorance of your computing environment can also land you in deep trouble.

My personal suggestion for you is to switch to a secure email program if you are still using Microsoft outlook. Mozilla Thunderbird, Opera Email and many others are not attacked that often and have better options to improve security.

The suggestions that follow are all important, back then and today as well. Kissel suggests to turn of JavaScript to block that attack vector, block the loading of remote elements like images which can for instance be used for tracking purposes or expoits, use secure connections via SSL when retrieving and sending email, and viewing emails only in plain text and not HTML.