Entries filed under 'Peter Silberman'
Stuxnet Memory Analysis and IOC creation
The <a href="http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx">stuxnet</a> malware has been making the press recently for two reasons. First it contains two drivers signed with a legitimate (at the time) <a href="http://threatpost.com/en_us/blogs/possible-new-rootkit-has-drivers-signed-realtek-071510">cert</a>. Second is it's targeting <a href="http://www.zdnet.co.uk/news/security/2010/07/19/windows-systems-at-risk-from-stuxnet-shortcut-malware-40089575/">SCADA systems</a>. The malware is cool for a host of other geeky reasons. Nick Harbour, Stephen Davis, and I started looking at the malware Sunday afternoon. We had hoped to write a blog post about the specifics of the malware before we left for Vegas on Friday. However, in the short term I thought this malware would provide a great opportunity to demonstrate how memory analysis can be leveraged to find malware easily, and how the MANDIANT's<a href="http://www.mandiant.com/products/free_software/ioce/"> Indicator of Compromise editor</a> (IOCe) tool can be used to describe the malware and what to look for.