Stuxnet|Malware|Rootkit

Stuxnet- CVE-2010-2568

Stuxnet is a highly sophisticated malware designed to sabotage the normal functioning of critical systems. In contrast to the somewhat indiscreet approach which is used to access these sensitive systems, this sabotage is intended to be very discreet. To approach its target, Stuxnet exploits at least four zero-day vulnerabilities (currently all corrected by Microsoft) targeting different versions of Windows, as well as the famous MS08-067 vulnerability that was corrected several years ago.

To quickly reach its target, the malware also uses a password defined by default within certain SCADA (Supervisory Control And Data Acquisition) systems. This is based on the Siemens SIMATIC WinCC software

How Stuxnet Work

This worm was created mainly to sabotage the Iranian Nuclear Program. Once installed on a PC, Stuxnet uses Siemens' default passwords to gain access to the systems that run the WinCC and PCS 7 programs which control and modify the code of the PLCs (programmable logic controller) which control the machines themselves

                                                                                            Source: http://spectrum.ieee.org

Stuxnet operates in two stages after infection, according to Symantec Security Response Supervisor Liam O'Murchu. First it uploads configuration information about the Siemens system to a command-and-control server. Then the attackers are able to pick a target and actually reprogram the way it works. "They decide how they want the PLCs to work for them, and then they send code to the infected machines that will change how the PLCs work," O'Murchu said.

Spreading Mechanism:

·        USB Drive Infection

Stuxnet creates a new hidden window “ABCDhJk”  and get notified of any new USB flash memory inserted to the computer by waiting for “WM_DEVICECHANGE” Windows Message.

After getting notified of a new drive added to the computer (USB Flash Memory), stuxnet writes 6 files into the flash memory drive:

Copy of Shortcut to.lnk

Copy of Copy of Shortcut to.lnk

 Copy of Copy of Copy of Shortcut to.lnk

Copy of Copy of Copy of Copy of Shortcut to.lnk

And 2 executable files (DLL files):

~WTR4141.tmp

~WTR4132.tmp

 These malformed shortcut files use vulnerability in Windows Shell named: CVE-2010-2568(MS-10-046) -Windows Shell LNK Vulnerability This vulnerability is not a buffer-overflow vulnerability but it’s due to a bad way for windows to load icons for LNK files which creates the vulnerability.

·       Spreading via Network:

Stuxnet spreads via Network using one of vulnerabilities:

CVE-2008-4250(MS-08-067) –Windows Server Service NetPathCanonicalize() Vulnerability

CVE-2010-2729(MS-10-061) –Windows Print Spooler Service Vulnerability

The first vulnerability is not a zero-day vulnerability, it’s already known. This vulnerability was used before by Conficker. In this vulnerability, stuxnet looks for C$ and Admin$ shares on remote systems. Then, it copies itself as a file named "DEFRAGxxxxx.TMP" in the first writable directory found on the share.

And then, it tries to execute a command:

 rundll32.exe "DEFRAGxxxxx.TMP",DllGetClassObjectEx

 The second vulnerability is a zero-day vulnerability. This vulnerability was first described by Carsten Kohler in Hackin9 Security Magazine 04-2009 in an article named “Print Your Shell”

This vulnerability wasn’t used in the wild until Stuxnet. This vulnerability allows a guest user account to communicate to a machine with a shared printer and writes a file to the system directory in it.

The windows APIs for printing allows to choose the directory that you wish to copy your file to and with an API named “GetSpoolFileHandle” you can get the file handle of the newly created file in the target machine and then you can easily with ReadFile & WriteFile APIs you can copy your file into the target machine.

 For stuxnet, it copies 2 files into the target machine:

Windows\System32\winsta.exe

Windows\System32\wbem\mof\sysnullevnt.mof

The first file is the stuxnet dropper and the second is a Managed Object Format file. This file (under some conditions) executes winsta.exe the stuxnet dropper.

Recommendations

•       Some suggestions which can be considered to prevent Stuxnet infection.
• 
  
•        Restrict file sharing through USB drive via Active Directory or endpoint security solutions(For enterprises).
• 
  
•      Disable autorun features in windows so that removable devices do not execute when they are inserted into a computer.
• 
  
•      Patch operating system and software. Installation of the following patches will reduce the risk to your computer

                                  ->   Microsoft Security Bulletin MS10-046

                                   ->  Microsoft Security Bulletin MS08-067

                                  ->   Microsoft Security Bulletin MS10-061 

•      Address blocking -Block access to the following addresses using a firewall, router, or add entries to the local hosts file to redirect the following addresses to 127.0.0.1: 

                                         -> www.mypremierfutbol.com

                                         -> www.todaysfutbol.com

•           If below registry entries are found, Take immediate necessary action . Isolate the system and perform full malware analysis, delete the entries

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls\"ImagePath" = "%System%\drivers\mrxcls.sys"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\"ImagePath" = "%System%\drivers\mrxnet.sys

•       Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

Reference:

• http://www.Codeproject.com