Stuxnet’s Credentials
I had a hard time finding the Stuxnet-rootkit and the credentials it used to exploit the Siemens WINCC6 SCADA system.
So here you go, here's the default credentials it used towards the WINCC6's MSSQL Server:
Username: WinCCConnect
Password: 2WSXcderUsername: WinCCAdmin
Password: 2WSXcde.
Just for documentation.
The odds for you to stumble upon one of these systems are low.
So no harm done here! Just want it to be easier for other people who is searching for this information.
Oh, and I might add, the rootkit is stored at:
%SystemRoot%\Windows32\drivers\mrxcls.sys
...and here:
%SystemRoot%\Windows32\drivers\mrxnet.sys
Another way to detect it's presence is to look for the odd Windows Services "MRxCls" and "MRxNet".
It do also creates two registry entries at:
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
...and:
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet
It spreads using a previously unknown security flaw in the Microsoft Windows .LNK file-extension with the use of USB-sticks.
More information about the 0-day can be found here.
That's it. What more information do you need if you wish to code an anti-virus for this specific worm?
Oh yeah. Both the "drivers" are signed by RealTek Semiconductor Corp. Might be something to look out for as well.
It's a pretty clever example of how dangerous malware can be when used for industrial espionage.
Anyway,
Ciao.
Hey, I'm Fredrik. I'm from Sweden, born 1990, and I got a huge interest for information technology and information security. So far, I've been studying for three years at the Internation IT College of Sweden and one year at the Royal Institute of Technology (Kista, Sweden). I'm currently working at Young / Skilled and as a shareholder of Arctic Security. If you wish to contact me, please email me at h@ackack.net or follow me at twitter @Almroot.