Post on 20-May-2015
description
Case Study : Case Study : StuxnetStuxnetBy Amr ThabetBy Amr Thabet
Stuxnet OverviewStuxnet Overview Most sophisticated malware ever seen in public Most sophisticated malware ever seen in public Uses up to 6 Vulnerabilities (5 in Win and 1 in Uses up to 6 Vulnerabilities (5 in Win and 1 in
Siemens)Siemens) Its code is ~ 1.5 MB (very large)Its code is ~ 1.5 MB (very large) Has 3 Rootkits (User-Mode, Kernel-Mode & Has 3 Rootkits (User-Mode, Kernel-Mode &
PLC Rootkit)PLC Rootkit) Spreads via USB Flash Memory and Network Spreads via USB Flash Memory and Network
SharesShares It updates itself via Internet by connecting It updates itself via Internet by connecting
(HTTP) to two Websites (encrypted connection)(HTTP) to two Websites (encrypted connection) Infects SCADA Systems Infects SCADA Systems The First Malware that has a physical payloadThe First Malware that has a physical payload
Stuxnet Life CycleStuxnet Life Cycle
Stuxnet’s Main DropperStuxnet’s Main Dropper
The Dropper is a program The Dropper is a program that contains the real malwarethat contains the real malware and carries it from PC to anotherand carries it from PC to another (like a ship)(like a ship) It loads the Main DLL with a special It loads the Main DLL with a special
wayway It uses LoadLibraryA and Hooks the It uses LoadLibraryA and Hooks the
File Management APIs that’s used by File Management APIs that’s used by LoadLibraryA to get the File from LoadLibraryA to get the File from memory not from a file on the diskmemory not from a file on the disk
Process InjectionProcess Injection
Stuxnet injects itself into a process Stuxnet injects itself into a process (usually lsass.exe)(usually lsass.exe)
It copies itself into the Memory of It copies itself into the Memory of lsass and then forces lsass to execute lsass and then forces lsass to execute it by modifying its codeit by modifying its code
In Stuxnet case it unloads (remove) In Stuxnet case it unloads (remove) the original process (lsass) from its the original process (lsass) from its memory (when the process suspended) memory (when the process suspended) and then loads another PE File inside and then loads another PE File inside the memory has the same entrypoint the memory has the same entrypoint
Escalation of PrivilegesEscalation of Privileges Escalation of Privileges means do Escalation of Privileges means do
something you are not allowed to do. In something you are not allowed to do. In stuxnet it takes the administrator stuxnet it takes the administrator privileges to install itselfprivileges to install itself
It uses 2 vulnerabilities in win OSIt uses 2 vulnerabilities in win OSCVE-2010-2743(MS-10-073) –Win32K.sys Keyboard Layout CVE-2010-2743(MS-10-073) –Win32K.sys Keyboard Layout
VulnerabilityVulnerabilityCVE-xxxx-xxxx(MS-xx-xxx) –Windows Task Scheduler CVE-xxxx-xxxx(MS-xx-xxx) –Windows Task Scheduler
VulnerabilityVulnerability These Vulnerabilities allow stuxnet to These Vulnerabilities allow stuxnet to
execute as a system application (runs like execute as a system application (runs like a system process)a system process)
Installation MechanismInstallation Mechanism It installs these filesIt installs these files%%SystemRoot%\inf\oem7A.PNF%SystemRoot%\inf\mdmeric3.PNF%SystemRoot%\inf\mdmcpq3.PNF%SystemRoot%\inf\oem6C.PNF %SystemRoot%\Drivers\mrxnet.sys%SystemRoot%\Drivers\mrxcls.sys Then it adds MrxNet & MrxCls Then it adds MrxNet & MrxCls
to registry to be sure they will to registry to be sure they will be executed on every bootbe executed on every boot
Disabling Windows Disabling Windows DefenderDefender
It modifies some registry entries It modifies some registry entries related to Window Defender:related to Window Defender:
SOFTWARE\Microsoft\Windows Defender\Real-SOFTWARE\Microsoft\Windows Defender\Real-Time ProtectionTime ProtectionEnableUnknownPromptsEnableUnknownPromptsEnableKnownGoodPromptsEnableKnownGoodPromptsServicesAndDriversAgentServicesAndDriversAgent
These modifications allows stuxnet These modifications allows stuxnet to work normally without blockingto work normally without blocking
Spreading MechanismSpreading MechanismUSB InfectionUSB Infection
Stuxnet uses a vulnerability in Win OS:Stuxnet uses a vulnerability in Win OS:CVE-2010-2568(MS-10-046) -Windows Shell LNK CVE-2010-2568(MS-10-046) -Windows Shell LNK
VulnerabilityVulnerability This vulnerability is found in the This vulnerability is found in the
shortcut of the CPL filesshortcut of the CPL files In these shortcuts the Explorer loads the In these shortcuts the Explorer loads the
icon dynamicallyicon dynamically This loading makes Explorer load the This loading makes Explorer load the
CPL File and calls to its Entrypoint CPL File and calls to its Entrypoint Stuxnet uses this trick to make Explorer Stuxnet uses this trick to make Explorer
calls to the Entrypoint of its Executablecalls to the Entrypoint of its Executable
Spreading MechanismSpreading MechanismNetworkNetwork
Stuxnet Spreads via Network by using Stuxnet Spreads via Network by using 2 Vulnerabilities:2 Vulnerabilities:
CVE-2010-2729(MS-10-061) –Windows Print Spooler CVE-2010-2729(MS-10-061) –Windows Print Spooler Service VulnerabilityService Vulnerability
CVE-2008-4250(MS-08-067) –Windows Server Service CVE-2008-4250(MS-08-067) –Windows Server Service NetPathCanonicalize() NetPathCanonicalize()
The 1The 1stst Vulnerability: allows Stuxnet to Vulnerability: allows Stuxnet to infect PCs that share their infect PCs that share their printersprinters
The 2The 2ndnd is used before in is used before in ConflickerConflicker and it allows Stuxnet to spreads via and it allows Stuxnet to spreads via Network SharesNetwork Shares
Updating MechanismUpdating Mechanism
Stuxnet updates itself via 2 Websites Stuxnet updates itself via 2 Websites www.mypremierfutbol.comwww.mypremierfutbol.comwww.todaysfutbol.comwww.todaysfutbol.com Stuxnet updates itself via a P2P Stuxnet updates itself via a P2P
connection (on the isolated machines)connection (on the isolated machines) They communicate via RPC connection They communicate via RPC connection Control the ICS machines Control the ICS machines withoutwithout a a
direct communication To the Internetdirect communication To the Internet
RootkitsRootkits
RootkitRootkit is a program (or tool) is used is a program (or tool) is used by malwares to hide its presence by malwares to hide its presence
In Stuxnet, they hide stuxnet filesIn Stuxnet, they hide stuxnet files
in the USB Infected Flash Memoryin the USB Infected Flash Memory Stuxnet has 2 rootkitsStuxnet has 2 rootkits: User-Mode : User-Mode
and Kernel-Mode rootkitand Kernel-Mode rootkit
User-Mode RootkitUser-Mode Rootkit loaded by the loaded by the LNKLNK Vulnerability Vulnerability Used only once before Infecting a Used only once before Infecting a
machinemachine It modifies the pointer to the File It modifies the pointer to the File
Management APIs Management APIs Change the input or the output of Change the input or the output of
these APIsthese APIs Hide the Stuxnet Flash Memory Hide the Stuxnet Flash Memory
FilesFiles
Kernel-Mode RootkitKernel-Mode Rootkit
It’s a device driverIt’s a device driver It’s installed in the installation It’s installed in the installation
progress of Stuxnetprogress of Stuxnet It’s a simple file system filterIt’s a simple file system filter it modifies the outputs and the it modifies the outputs and the
inputs of the File Management inputs of the File Management functions inside the Kernelfunctions inside the Kernel
Loading MechanismLoading Mechanism
There’s two ways for stuxnet to load There’s two ways for stuxnet to load
1. WTR4141.TMP1. WTR4141.TMP:: Loaded by LNK Vulnerability Loaded by LNK Vulnerability loads the Main Dropper of Stuxnet loads the Main Dropper of Stuxnet
2. MrxCls2. MrxCls: : It’s a device driver It’s a device driver Injects Stuxnet into services.exe Injects Stuxnet into services.exe
every time the system bootsevery time the system boots
Thank YouThank You For any question don’t Forget to For any question don’t Forget to
mail me at:mail me at:
Amr.thabet@student.alx.edu.egAmr.thabet@student.alx.edu.eg For more about me visit my For more about me visit my
WebsiteWebsite
http://www.amrthabet.co.cchttp://www.amrthabet.co.cc Or My BlogOr My Blog
http://http://blog.amrthabet.co.ccblog.amrthabet.co.cc
Thank YouThank You