Home / malware

PDF

Trojan-Dropper:W32/Stuxnet

First posted on 22 July 2010.
Source: SecurityHome

Aliases :

There are no other names known for Trojan-Dropper:W32/Stuxnet.

Explanation :

A program or set of programs which hides itself by subverting or evading the computer's security mechanisms, then allows remote users to secretly control the computer's operating system.

Additional DetailsTrojan-Dropper:W32/Stuxnet automatically executes itself and drops files onto the system by exploiting a vulnerability in various Windows versions (CVE-2010-2568) that allows malicious code to run when a specially crafted shortcut icon is displayed.

This malware appears to be targeted to businesses using Siemens SIMATIC WinCC database applications, as its payload involves data theft from these resources.

This malware is further discussed in the following Labs weblog posts:

€ LNK Vulnerability: Embedded Shortcuts in Documents € Another Signed Stuxnet Binary € Update on Security Advisory 2286198 € Code for Shortcut Zero-Day Exploit is Public € Zero-Day Vulnerability in Windows Shell € More Analysis of Case LNK Exploit € Espionage Attack Uses LNK Shortcut Files
For more information, please also refer to Microsoft Security Advisory 2286198.

Exploit

Stuxnet shares similarities with an Autorun worm, as it usually arrives via an infected USB thumb drive or other removable media, and once on an infected computer, will save copies of itself on other removable media for propagation to new victim machines.

However, instead of exploiting a vulnerability to forcibly execute an autorun.inf file, Stuxnet takes advantage of a vulnerability in parsing shortcut (.LNK) files in order to execute a malicious Control Panel module.

An attacker can subvert this operation with a specially crafted .LNK file, which is pointed to a specially crafted Control Panel module (in reality, the malware). When the system attempts to resolve the shortcut file's icon, the vulnerability is triggered and the Control Panel module is automatically executed. The user does not need to click on the icon in order for the malware to be executed.

In order to work with this exploit, the malicious shortcut file has to be formatted as a valid Control Panel shortcut, while the trojan-dropper component itself must be formatted to be a valid Control Panel module (for instance, it must have the CplApplet exported function).

The exploit may also be embedded in document files that support embedded shortcuts (see LNK Vulnerability: Embedded Shortcuts in Documents).

We detect the exploit as Exploit:W32/WormLink.

Infection

On execution, the malware drops the following files onto the system:

€ 2 files ( mrxcls.sys and mrxnet.sys) - Dropped in C:\Windows\System32\Drivers folder € C:\Windows\inf\oem7a.PNF - An encrypted DLL file, the trojan-dropper's main component € C:\Windows\inf\mdmcpq3.PNF € C:\Windows\inf\mdmeric3.PNF € C:\Windows\inf\oem6c.PNF
An alert user may recognize the presence of a Stuxnet infection if the following items are present (which is helpful if the infected machine has no antivirus product installed):

€ The 2 dropped files, mrxcls.sys and mrxnet.sys, are found in C:\Windows\System32\Drivers folder € The registry keys associated with the 2 dropped drivers are visible.
- HKLM\System\CurrentControlSet\Services\Services\MRxNet
- HKLM\System\CurrentControlSet\Services\Services\MRxCls

Execution

The encrypted DLL file contained in the dropped oem7a.PNF file is injected into a process, using the following name structure:

€ [normaldll].ASLR.[random] - e.g., Kernel32.dll.aslr.21af34
The injection is performed by the mrxcls.sys file, which is responsible for attaching and copying the DLL into the target process. The rest of the injection routine is carried out by 2 additional components embedded in the mrxcls.sys file, which are also loaded into the same process space.

mrxcls.sys also injects code to these processes:

€ services.exe € svchost.exe € lsass.exe

Payload

The file mrxnet.sys checks for files on the system with the following extensions:

€ .TMP € ~WTR € .LNK
If a match is found, the files are hidden by modifying the FileInfo structure.

Meanwhile, the DLL attempts to connect to any available Siemens SIMATIC WinCC applications using hard-coded administrative username/password credentials. If successfully connected, it attempts to locates the file \GraCS\cc_tlg7.sav in all database names that starts with CC. If the file is found, the DLL then extracts it as cc_tlg7.savx.

If the targeted files are not found on the infected system, Stuxnet will save copies of itself as TMP files onto an available removable drive, using the following filenames:

€ ~WTR4132.tmp - Main installer from the USB drive
€ ~WTR4141.tmp - First driver loader in the USB drive

The following files are also dropped to the removable drive:

€ Copy of Shortcut to.lnk € Copy of Copy of Shortcut to.lnk € Copy of Copy of Copy of Shortcut to.lnk € Copy of Copy of Copy of Copy of Shortcut to.lnk
These shortcuts are responsible for loading the ~WTR4141.tmp file whenever the infected removable drive is plugged into a new system; the ~WTR4141.tmp file in turn loads the ~WTR4132.tmp file.

Stealth

The file ~WTR4141.tmp hooks the following APIs to hide the malware files in the removable drive:

€ FindFirstFileW € FindNextFileW € FindFirstFileExW € NtQueryDirectoryFile € ZwQueryDirectoryFile

Last update 22 July 2010

 

TOP