Case Study : Case Study : StuxnetStuxnetBy Amr ThabetBy Amr Thabet

Stuxnet OverviewStuxnet Overview Most sophisticated malware ever seen in public Most sophisticated malware ever seen in public Uses up to 6 Vulnerabilities (5 in Win and 1 in Uses up to 6 Vulnerabilities (5 in Win and 1 in

Siemens)Siemens) Its code is ~ 1.5 MB (very large)Its code is ~ 1.5 MB (very large) Has 3 Rootkits (User-Mode, Kernel-Mode & Has 3 Rootkits (User-Mode, Kernel-Mode &

PLC Rootkit)PLC Rootkit) Spreads via USB Flash Memory and Network Spreads via USB Flash Memory and Network

SharesShares It updates itself via Internet by connecting It updates itself via Internet by connecting

(HTTP) to two Websites (encrypted connection)(HTTP) to two Websites (encrypted connection) Infects SCADA Systems Infects SCADA Systems The First Malware that has a physical payloadThe First Malware that has a physical payload

Stuxnet Life CycleStuxnet Life Cycle

Stuxnet’s Main DropperStuxnet’s Main Dropper

The Dropper is a program The Dropper is a program that contains the real malwarethat contains the real malware and carries it from PC to anotherand carries it from PC to another (like a ship)(like a ship) It loads the Main DLL with a special It loads the Main DLL with a special

wayway It uses LoadLibraryA and Hooks the It uses LoadLibraryA and Hooks the

File Management APIs that’s used by File Management APIs that’s used by LoadLibraryA to get the File from LoadLibraryA to get the File from memory not from a file on the diskmemory not from a file on the disk

Process InjectionProcess Injection

Stuxnet injects itself into a process Stuxnet injects itself into a process (usually lsass.exe)(usually lsass.exe)

It copies itself into the Memory of It copies itself into the Memory of lsass and then forces lsass to execute lsass and then forces lsass to execute it by modifying its codeit by modifying its code

In Stuxnet case it unloads (remove) In Stuxnet case it unloads (remove) the original process (lsass) from its the original process (lsass) from its memory (when the process suspended) memory (when the process suspended) and then loads another PE File inside and then loads another PE File inside the memory has the same entrypoint the memory has the same entrypoint

Escalation of PrivilegesEscalation of Privileges Escalation of Privileges means do Escalation of Privileges means do

something you are not allowed to do. In something you are not allowed to do. In stuxnet it takes the administrator stuxnet it takes the administrator privileges to install itselfprivileges to install itself

It uses 2 vulnerabilities in win OSIt uses 2 vulnerabilities in win OSCVE-2010-2743(MS-10-073) –Win32K.sys Keyboard Layout CVE-2010-2743(MS-10-073) –Win32K.sys Keyboard Layout

VulnerabilityVulnerabilityCVE-xxxx-xxxx(MS-xx-xxx) –Windows Task Scheduler CVE-xxxx-xxxx(MS-xx-xxx) –Windows Task Scheduler

VulnerabilityVulnerability These Vulnerabilities allow stuxnet to These Vulnerabilities allow stuxnet to

execute as a system application (runs like execute as a system application (runs like a system process)a system process)

Installation MechanismInstallation Mechanism It installs these filesIt installs these files%%SystemRoot%\inf\oem7A.PNF%SystemRoot%\inf\mdmeric3.PNF%SystemRoot%\inf\mdmcpq3.PNF%SystemRoot%\inf\oem6C.PNF %SystemRoot%\Drivers\mrxnet.sys%SystemRoot%\Drivers\mrxcls.sys Then it adds MrxNet & MrxCls Then it adds MrxNet & MrxCls

to registry to be sure they will to registry to be sure they will be executed on every bootbe executed on every boot

Disabling Windows Disabling Windows DefenderDefender

It modifies some registry entries It modifies some registry entries related to Window Defender:related to Window Defender:

SOFTWARE\Microsoft\Windows Defender\Real-SOFTWARE\Microsoft\Windows Defender\Real-Time ProtectionTime ProtectionEnableUnknownPromptsEnableUnknownPromptsEnableKnownGoodPromptsEnableKnownGoodPromptsServicesAndDriversAgentServicesAndDriversAgent

These modifications allows stuxnet These modifications allows stuxnet to work normally without blockingto work normally without blocking

Spreading MechanismSpreading MechanismUSB InfectionUSB Infection

Stuxnet uses a vulnerability in Win OS:Stuxnet uses a vulnerability in Win OS:CVE-2010-2568(MS-10-046) -Windows Shell LNK CVE-2010-2568(MS-10-046) -Windows Shell LNK

VulnerabilityVulnerability This vulnerability is found in the This vulnerability is found in the

shortcut of the CPL filesshortcut of the CPL files In these shortcuts the Explorer loads the In these shortcuts the Explorer loads the

icon dynamicallyicon dynamically This loading makes Explorer load the This loading makes Explorer load the

CPL File and calls to its Entrypoint CPL File and calls to its Entrypoint Stuxnet uses this trick to make Explorer Stuxnet uses this trick to make Explorer

calls to the Entrypoint of its Executablecalls to the Entrypoint of its Executable

Spreading MechanismSpreading MechanismNetworkNetwork

Stuxnet Spreads via Network by using Stuxnet Spreads via Network by using 2 Vulnerabilities:2 Vulnerabilities:

CVE-2010-2729(MS-10-061) –Windows Print Spooler CVE-2010-2729(MS-10-061) –Windows Print Spooler Service VulnerabilityService Vulnerability

CVE-2008-4250(MS-08-067) –Windows Server Service CVE-2008-4250(MS-08-067) –Windows Server Service NetPathCanonicalize() NetPathCanonicalize()

The 1The 1stst Vulnerability: allows Stuxnet to Vulnerability: allows Stuxnet to infect PCs that share their infect PCs that share their printersprinters

The 2The 2ndnd is used before in is used before in ConflickerConflicker and it allows Stuxnet to spreads via and it allows Stuxnet to spreads via Network SharesNetwork Shares

Updating MechanismUpdating Mechanism

Stuxnet updates itself via 2 Websites Stuxnet updates itself via 2 Websites www.mypremierfutbol.comwww.mypremierfutbol.comwww.todaysfutbol.comwww.todaysfutbol.com Stuxnet updates itself via a P2P Stuxnet updates itself via a P2P

connection (on the isolated machines)connection (on the isolated machines) They communicate via RPC connection They communicate via RPC connection Control the ICS machines Control the ICS machines withoutwithout a a

direct communication To the Internetdirect communication To the Internet

RootkitsRootkits

RootkitRootkit is a program (or tool) is used is a program (or tool) is used by malwares to hide its presence by malwares to hide its presence

In Stuxnet, they hide stuxnet filesIn Stuxnet, they hide stuxnet files

in the USB Infected Flash Memoryin the USB Infected Flash Memory Stuxnet has 2 rootkitsStuxnet has 2 rootkits: User-Mode : User-Mode

and Kernel-Mode rootkitand Kernel-Mode rootkit

User-Mode RootkitUser-Mode Rootkit loaded by the loaded by the LNKLNK Vulnerability Vulnerability Used only once before Infecting a Used only once before Infecting a

machinemachine It modifies the pointer to the File It modifies the pointer to the File

Management APIs Management APIs Change the input or the output of Change the input or the output of

these APIsthese APIs Hide the Stuxnet Flash Memory Hide the Stuxnet Flash Memory

FilesFiles

Kernel-Mode RootkitKernel-Mode Rootkit

It’s a device driverIt’s a device driver It’s installed in the installation It’s installed in the installation

progress of Stuxnetprogress of Stuxnet It’s a simple file system filterIt’s a simple file system filter it modifies the outputs and the it modifies the outputs and the

inputs of the File Management inputs of the File Management functions inside the Kernelfunctions inside the Kernel

Loading MechanismLoading Mechanism

There’s two ways for stuxnet to load There’s two ways for stuxnet to load

1. WTR4141.TMP1. WTR4141.TMP:: Loaded by LNK Vulnerability Loaded by LNK Vulnerability loads the Main Dropper of Stuxnet loads the Main Dropper of Stuxnet

2. MrxCls2. MrxCls: : It’s a device driver It’s a device driver Injects Stuxnet into services.exe Injects Stuxnet into services.exe

every time the system bootsevery time the system boots

Thank YouThank You For any question don’t Forget to For any question don’t Forget to

mail me at:mail me at:

Amr.thabet@student.alx.edu.egAmr.thabet@student.alx.edu.eg For more about me visit my For more about me visit my

WebsiteWebsite

http://www.amrthabet.co.cchttp://www.amrthabet.co.cc Or My BlogOr My Blog

http://http://blog.amrthabet.co.ccblog.amrthabet.co.cc

Thank YouThank You