6)+Summary+&+Conclusions

= Sasser Worm = =** Simply, the concept is understanding the target operating system and crafting the correct message to cause the buffer overflow. Once this is done, the rest of the malicious code can be run and the attacker already has control of the system; Scary! **=

=__** To remove its infection: **__=
 * 1) ** Stop the program from executing by killing the "avserve.exe" process. **
 * 2) ** Remove the registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve.exe. **
 * 3) ** Block the TCP ports 5554 and 9996 to preventing further spread throughout the network. **
 * 4) ** Delete the "avserve.exe" file from the windows directory. **
 * 5) ** Install the Microsoft patch MS04-011. **
 * 6) ** Reboot. **

__** To protect against similar infections: **__
 * 1. Be informed and know your system: **
 * ** Read bulletins and news from security experts which describe most recent attacks and vulnerabilities. Also, have your systems configured to specified standards and make sure all are following that standard. **
 * 2. Be "fully" protected: **
 * ** Have a suite of protection tools such as firewalls, network intrusion detection tools, anti-virus tools and simulators. **
 * ** Get updates and patches as they become available. **


 * There are additional efforts that an enterprise can take to slow the spread of network worms beyond hardening individual machines or the network as a whole. These steps prevent an Internet worm from finding and infecting organization assets. **


 * One method of combating worms is to slow down their scanning abilities. Many security professionals are familiar with tools like LaBrea that do just that. LaBrea answers for any unused IP addresses with a virtual machine that slows an automated scan by sending only an initial SYN ACK to SYNs and carefully answering additional requests (while setting the RECV window to zero). **


 * Another mechanism that can be employed to reduce the number of machines attacked during an outbreak is to space populated networks widely across a private address range. Using disparate sections of the 10.x.y.z/8 space would make worms like Welchia scan quite a few dead areas (or areas protected with LaBrea) while searching for live hosts. **



= Stuxnet Worm =
 * Stuxnet can automatically infect Windows (2000, Server 2003, XP, Vista, and 7) machines on the same network or move across networks on shared USB drives. The worm contains a payload that alters the Siemens’ Supervisory Control and Data Acquisition (SCADA) software. The payload is only activated for SCADA configurations that contain variable-frequency drives manufactured by one of two vendors and set to operate in a range between 807 Hz and 1210 Hz. The worm periodically alters the frequency the drives operate in, in an apparent attempt to disrupt their operation by breaking the devices. These changes to the drives speed is hidden from detection by the worm which provides a fake single to the monitoring software. **


 * Stuxnet contains many features such as: **
 * ** Self-replicates through removable drives exploiting a vulnerability allowing auto-execution. **** Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732). **
 * ** Spreads in a LAN through a vulnerability in the Windows Print Spooler. **** Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073). **
 * ** Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). **
 * ** Copies and executes itself on remote computers through network shares. **
 * ** Copies and executes itself on remote computers running a WinCC database server. **
 * ** Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded. **
 * ** Updates itself through a peer-to-peer mechanism within a LAN. **
 * ** Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed. **
 * ** Contacts a command and control server that allows the hacker to download and execute code, including updated versions. **
 * ** Contains a Windows rootkit that hide its binaries. **
 * ** Attempts to bypass security products. **
 * ** Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system. **
 * ** Hides modified code on PLCs, essentially a rootkit for PLCs. **


 * The real-world implications of Stuxnet are beyond any threat we have seen in the past. Despite the exciting challenge in reverse engineering Stuxnet and understanding its purpose, Stuxnet is the type of threat we hope to never see again. **


 * Finally, and amazingly, an attack can include all the types of infections. For example, a file deemed safe can be downloaded such as a song (Trojan). That file would then infect your programs (Virus) and then propagate and replicate through the network by sending itself through your email client to all your contacts (Worm). **